Package has no effect on system crypto policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
crypto-policies (Ubuntu) |
Won't Fix
|
High
|
Andreas Hasenack |
Bug Description
The crypto-policies package's description is "unify the crypto policies used by different applications and libraries". Its README.md says "The current implementations works by setting the desired policy in /etc/crypto-
This information is misleading, because the crypto-policies package doesn't seem to have any effect on the system's crypto policies. Running update-
The update-
To reproduce:
1) update-
2) curl https:/
The curl should fail, since EMPTY mode is supposed to disable all ciphers, but it will succeed.
I think this package should be removed as misleading and dangerous, or at least equipped with warnings stating that it will not do anything unless the user manually changes all of their system configuration files to reference those in /etc/crypto-
I'm starting an effort in this 22.10 cycle to see what we can do with this package, and how to integrate it with ubuntu.
While the package is working as intended, its claims are indeed false because the rest of the system is not aware of the generated configuration snippets that implement the chosen policy.
I will leave this bug open for now, while I decide what to do in this context, but I may close it in favor of bugs against the individual packages and applications to honor the policies set here. We will see. Perhaps in the meantime I can add the warning you suggested.