diff options
Diffstat (limited to '')
| -rw-r--r-- | templates/man7/crypto-policies.7.pot | 1578 |
1 files changed, 1578 insertions, 0 deletions
diff --git a/templates/man7/crypto-policies.7.pot b/templates/man7/crypto-policies.7.pot new file mode 100644 index 00000000..5c79a6d8 --- /dev/null +++ b/templates/man7/crypto-policies.7.pot @@ -0,0 +1,1578 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Free Software Foundation, Inc. +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2024-02-15 17:57+0100\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: TH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "CRYPTO-POLICIES" +msgstr "" + +#. type: TH +#: debian-unstable +#, no-wrap +msgid "08/24/2019" +msgstr "" + +#. type: TH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "crypto-policies" +msgstr "" + +#. type: TH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "\\ \"" +msgstr "" + +#. ----------------------------------------------------------------- +#. * MAIN CONTENT STARTS HERE * +#. ----------------------------------------------------------------- +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "NAME" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "crypto-policies - system-wide crypto policies overview" +msgstr "" + +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "DESCRIPTION" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The security of cryptographic components of the operating system does not " +"remain constant over time\\&. Algorithms, such as cryptographic hashing and " +"encryption, typically have a lifetime, after which they are considered " +"either too risky to use or plain insecure\\&. That means, we need to phase " +"out such algorithms from the default settings or completely disable them if " +"they could cause an irreparable problem\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"While in the past the algorithms were not disabled in a consistent way and " +"different applications applied different policies, the system-wide crypto-" +"policies followed by the crypto core components allow consistently " +"deprecating and disabling algorithms system-wide\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The individual policy levels (B<DEFAULT>, B<LEGACY>, B<FUTURE>, and B<FIPS>) " +"are included in the B<crypto-policies(7)> package\\&. In the future, there " +"will be also a mechanism for easy creation and deployment of policies " +"defined by the system administrator or a third party vendor\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"For rationale, see B<RFC 7457> for a list of attacks taking advantage of " +"legacy crypto algorithms\\&." +msgstr "" + +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "COVERED APPLICATIONS" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Crypto-policies apply to the configuration of the core cryptographic " +"subsystems, covering B<TLS>, B<IKE>, B<IPSec>, B<DNSSec>, and B<Kerberos> " +"protocols; i\\&.e\\&., the supported secure communications protocols on the " +"base operating system\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Once an application runs in the operating system, it follows the default or " +"selected policy and refuses to fall back to algorithms and protocols not " +"within the policy, unless the user has explicitly requested the application " +"to do so\\&. That is, the policy applies to the default behavior of " +"applications when running with the system-provided configuration but the " +"user can override it on an application-specific basis\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The policies currently provide settings for these applications and libraries:" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<BIND> DNS name server daemon" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<GnuTLS> TLS library" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<OpenJDK> runtime environment" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<Kerberos 5> library" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<Libreswan> IPsec and IKE protocol implementation" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<NSS> TLS library" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<OpenSSH> SSH2 protocol implementation" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<OpenSSL> TLS library" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<libssh> SSH2 protocol implementation" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"Applications using the above libraries and tools are covered by the " +"cryptographic policies unless they are explicitly configured not to be so\\&." +msgstr "" + +#. type: SH +#: debian-unstable +#, no-wrap +msgid "PROVIDED POLICY LEVELS" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<LEGACY>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"This policy ensures maximum compatibility with legacy systems; it is less " +"secure and it includes support for B<TLS 1\\&.0>, B<TLS 1\\&.1>, and B<SSH2> " +"protocols or later\\&. The algorithms B<DSA>, B<3DES>, and B<RC4> are " +"allowed, while B<RSA> and B<Diffie-Hellman> parameters are accepted if " +"larger than 1023 bits\\&. The level provides at least 64-bit security\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"MACs: all B<HMAC> with B<SHA-1> or better + all modern MACs (B<Poly1305> " +"etc\\&.)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Curves: all prime E<gt>= 255 bits (including Bernstein curves)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Signature algorithms: with B<SHA1> hash or better (B<DSA> allowed)" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"B<TLS> Ciphers: all available E<gt>= 112-bit key, E<gt>= 128-bit block " +"(including B<RC4> and B<3DES>)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Non-TLS Ciphers: same as B<TLS> ciphers with added B<Camellia>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Key exchange: B<ECDHE>, B<RSA>, B<DHE>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<DH> params size: E<gt>= 1023" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<RSA> keys size: E<gt>= 1023" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<DSA> params size: E<gt>= 1023" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<TLS> protocols: B<TLS> E<gt>= 1\\&.0, B<DTLS> E<gt>= 1\\&.0" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<DEFAULT>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The B<DEFAULT> policy is a reasonable default policy for today\\(cqs " +"standards\\&. It allows the B<TLS 1\\&.0>, B<TLS 1\\&.1>, B<TLS 1\\&.2>, and " +"B<TLS 1\\&.3> protocols, as well as B<IKEv2> and B<SSH2>\\&. The B<Diffie-" +"Hellman> parameters are accepted if they are at least 1023 bits long\\&. The " +"level provides at least 80-bit security\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "Signature algorithms: with B<SHA-1> hash or better (no B<DSA>)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<TLS> Ciphers: E<gt>= 128-bit key, E<gt>= 128-bit block (B<AES>, " +"B<ChaCha20>, including B<AES-CBC>)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "non-TLS Ciphers: as B<TLS> Ciphers with added B<Camellia>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "key exchange: B<ECDHE>, B<RSA>, B<DHE> (no B<DHE-DSS>)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<RSA> keys size: E<gt>= 2048" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<NEXT>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The B<NEXT> policy is a policy prepared for the upcoming release of the " +"operating system so it can be easily tested\\&. It allows the B<TLS 1\\&.2> " +"and B<TLS 1\\&.3> protocols, as well as B<IKEv2> and B<SSH2>\\&. The B<RSA> " +"and B<Diffie-Hellman> parameters are accepted if larger than 2047 bits\\&. " +"The level provides at least 112-bit security with the exception of B<SHA-1> " +"signatures needed for B<DNSSec> and other still prevalent legacy use of " +"B<SHA-1> signatures\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<DH> params size: E<gt>= 2048" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<TLS> protocols: B<TLS> E<gt>= 1\\&.2, B<DTLS> E<gt>= 1\\&.2" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<FUTURE>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"A conservative security level that is believed to withstand any near-term " +"future attacks\\&. This level does not allow the use of B<SHA-1> in " +"signature algorithms\\&. The level also provides some (not complete) " +"preparation for post-quantum encryption support in form of 256-bit symmetric " +"encryption requirement\\&. The B<RSA> and B<Diffie-Hellman> parameters are " +"accepted if larger than 3071 bits\\&. The level provides at least 128-bit " +"security\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"MACs: all B<HMAC> with B<SHA-256> or better + all modern MACs (B<Poly1305> " +"etc\\&.)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Signature algorithms: with B<SHA-256> hash or better (no B<DSA>)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<TLS> Ciphers: E<gt>= 256-bit key, E<gt>= 128-bit block, only Authenticated " +"Encryption (AE) ciphers" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"non-TLS Ciphers: same as B<TLS> ciphers with added non AE ciphers and " +"B<Camellia>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "key exchange: B<ECDHE>, B<DHE> (no B<DHE-DSS>, no B<RSA>)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<DH> params size: E<gt>= 3072" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<RSA> keys size: E<gt>= 3072" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<FIPS>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"A level that conforms to the B<FIPS 140-2> requirements\\&. This policy is " +"used internally by the B<fips-mode-setup(8)> tool which can switch the " +"system into the B<FIPS 140-2> compliance mode\\&. The level provides at " +"least 112-bit security\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "MACs: all B<HMAC> with B<SHA1> or better" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Curves: all prime E<gt>= 256 bits" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<TLS> Ciphers: E<gt>= 128-bit key, E<gt>= 128-bit block (B<AES>, including " +"B<AES-CBC>)" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "non-TLS Ciphers: same as B<TLS> Ciphers" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<RSA> params size: E<gt>= 2048" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<EMPTY>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"All cryptographic algorithms are disabled (used for debugging only, do not " +"use)\\&." +msgstr "" + +#. type: SH +#: debian-unstable +#, no-wrap +msgid "CRYPTO POLICY DEFINITON FORMAT" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The crypto policy definiton files have a simple syntax following an B<INI> " +"file B<key> = B<value> syntax with these particular features:" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Comments are indicated by I<#> character\\&. Everything on the line " +"following the character is ignored\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Backslash I<\\e> character followed immediately with the end-of-line " +"character indicates line continuation\\&. The following line is concatenated " +"to the current line after the backslash and end-of-line characters are " +"removed\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"Value types can be either decimal integers, arbitrary strings, or lists of " +"strings without whitespace characters separated by any number of " +"whitespaces\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "The allowed keys are:" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<mac>: List of allowed MAC algorithms" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<group>: List of allowed groups or elliptic curves for key exchanges" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<hash>: List of allowed cryptographic hash (message digest) algorithms" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<sign>: List of allowed signature algorithms" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"B<tls_cipher>: List of allowed symmetric encryption algorithms (including " +"the modes) for use with the TLS protocol" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<cipher>: List of allowed symmetric encryption algorithms (including the " +"modes) for use with other protocols" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<key_exchange>: List of allowed key exchange algorithms" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<protocol>: List of allowed TLS and DTLS protocol versions" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<ike_protocol>: List of allowed IKE protocol versions" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<min_tls_version>: Lowest allowed TLS protocol version" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<min_dtls_version>: Lowest allowed DTLS protocol version" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<min_dh_size>: Integer value of minimum number of bits of parameters for " +"B<DH> key exchange" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<min_dsa_size>: Integer value of minimum number of bits for B<DSA> keys" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<min_rsa_size>: Integer value of minimum number of bits for B<RSA> keys" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<sha1_in_certs>: Value of 1 if B<SHA1> allowed in certificate signatures, 0 " +"otherwise (Applies to B<GnuTLS> back end only\\&.)" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The full policy definition files have suffix I<\\&.pol>, the policy module " +"definition files have suffix I<\\&.pmod>\\&. The policy module files do not " +"have to have values set for all the keys listed above\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The lists as set in the base (full policy) are modified by the lists " +"specified in the module files in following way:" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"B<->I<list-item>: The I<list-item> is removed from the list specified in the " +"base policy\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"B<+>I<list-item>: The I<list-item> is inserted at the beginning of the list " +"specified in the base policy\\&. The inserts are done in the order of " +"appearance in the policy module file so the actual order in the final list " +"will be reversed\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"I<list-item> or I<list-item>B<+>: The list-item is appended to the end of " +"the list specified in the base policy\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"Non-list key values in the policy module files are simply overridden\\&." +msgstr "" + +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "COMMANDS" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<update-crypto-policies(8)>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"This command manages the policies available to the various cryptographic " +"back ends and allows the system administrator to change the active " +"cryptographic policy level\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<fips-mode-setup(8)>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"This command allows the system administrator to enable, or disable the " +"system FIPS mode and also apply the B<FIPS> cryptographic policy level which " +"limits the allowed algorithms and protocols to these allowed by the FIPS " +"140-2 requirements\\&." +msgstr "" + +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "NOTES" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<Exceptions:>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<Go-language> applications do not yet follow the system-wide policy\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<GnuPG-2> application does not follow the system-wide policy\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"In general only the data-in-transit is currently covered by the system-wide " +"policy\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"If the system administrator changes the system-wide policy level with the " +"B<update-crypto-policies(8)> command it is advisable to restart the system " +"as the individual back-end libraries read the configuration files usually " +"during their initialization\\&. The changes in the policy level thus take " +"place in most cases only when the applications using the back-end libraries " +"are restarted\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<Removed cipher suites and protocols>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The following cipher suites and protocols are completely removed from the " +"core cryptographic libraries listed above:" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<DES>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "All export grade cipher suites" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<MD5> in signatures" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<SSLv2>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<SSLv3>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "All B<ECC> curves smaller than 224 bits" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "All binary field B<ECC> curves" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "B<Cipher suites and protocols disabled in all policy levels>" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The following ciphersuites and protocols are available but disabled in all " +"crypto policy levels\\&. They can be enabled only by explicit configuration " +"of individual applications:" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<DH> with parameters E<lt> 1024 bits" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<RSA> with key size E<lt> 1024 bits" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<Camellia>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<ARIA>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<SEED>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<IDEA>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Integrity only ciphersuites" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<TLS> B<CBC mode> ciphersuites using B<SHA-384> HMAC" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<AES-CCM8>" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "all B<ECC> curves incompatible with B<TLS 1\\&.3>, including secp256k1" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<IKEv1>" +msgstr "" + +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "FILES" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/etc/crypto-policies/back-ends" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"The individual cryptographical back-end configuration files\\&. Usually " +"linked to the configuration shipped in the crypto-policies package unless a " +"configuration from B<local\\&.d> is added\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/etc/crypto-policies/config" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "The active crypto-policies level set on the system\\&." +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/etc/crypto-policies/local\\&.d" +msgstr "" + +#. type: Plain text +#: debian-unstable +msgid "" +"Additional configuration shipped by other packages or created by the system " +"administrator\\&. The contents of the B<E<lt>back-endE<gt>-file\\&.config> " +"is appended to the configuration from the policy back end as shipped in the " +"crypto-policies package\\&." +msgstr "" + +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "SEE ALSO" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "update-crypto-policies(8), fips-mode-setup(8)" +msgstr "" + +#. type: SH +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "AUTHOR" +msgstr "" + +#. type: Plain text +#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Written by Tomáš Mráz\\&." +msgstr "" + +#. type: TH +#: fedora-40 fedora-rawhide +#, no-wrap +msgid "02/01/2024" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Several preconfigured policies (B<DEFAULT>, B<LEGACY>, B<FUTURE>, and " +"B<FIPS>) and subpolicies are included in the B<crypto-policies(7)> " +"package\\&. System administrators or third-party vendors can define custom " +"policies and subpolicies\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The recommended way to modify the effective configuration is to apply a " +"custom subpolicy on top of a predefined policy\\&. This allows configuration " +"to evolve with future updates of the predefined policies keeping desired " +"modification in place\\&. Modifying effective configuration by defining a " +"fully custom policy prevents the configuration from evolving with future " +"updates of the predefined policies\\&. The syntax to define custom policies " +"and subpolicies is described in the CRYPTO POLICY DEFINITION FORMAT section " +"below\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<BIND> DNS name server daemon (scopes: B<BIND>, B<DNSSec>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<GnuTLS> TLS library (scopes: B<GnuTLS>, B<SSL>, B<TLS>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<OpenJDK> runtime environment (scopes: B<java-tls>, B<SSL>, B<TLS>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<Kerberos 5> library (scopes: B<krb5>, B<Kerberos>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<Libreswan> IPsec and IKE protocol implementation (scopes: B<libreswan>, " +"B<IPSec>, B<IKE>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<NSS> TLS library (scopes: B<NSS>, B<SSL>, B<TLS>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<OpenSSH> SSH2 protocol implementation (scopes: B<OpenSSH>, B<SSH>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<OpenSSL> TLS library (scopes: B<OpenSSL>, B<SSL>, B<TLS>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<libssh> SSH2 protocol implementation (scopes: B<libssh>, B<SSH>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<sequoia> PGP implementation, for usage outside of rpm-sequoia (scopes: " +"B<sequoia>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<rpm-sequoia> RPM Sequoia PGP backend (scopes: B<rpm>, B<rpm-sequoia>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Applications using the above libraries and tools are covered by the " +"cryptographic policies unless they are explicitly configured otherwise\\&." +msgstr "" + +#. type: SH +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "PROVIDED POLICIES" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"This policy ensures maximum compatibility with legacy systems; it is less " +"secure and it includes support for B<TLS 1\\&.0>, B<TLS 1\\&.1>, and B<SSH2> " +"protocols or later\\&. The algorithms B<DSA> and B<3DES> are allowed, while " +"B<RSA> and B<Diffie-Hellman> parameters are accepted if larger than 1024 " +"bits\\&. This policy provides at least 64-bit security\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<TLS> Ciphers: all available E<gt>= 112-bit key, E<gt>= 128-bit block " +"(including B<3DES>, excluding B<RC4>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<DH> params size: E<gt>= 1024" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<RSA> keys size: E<gt>= 1024" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<DSA> params size: E<gt>= 1024" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The B<DEFAULT> policy is a reasonable default policy for today\\(cqs " +"standards\\&. It allows the B<TLS 1\\&.2>, and B<TLS 1\\&.3> protocols, as " +"well as B<IKEv2> and B<SSH2>\\&. The B<Diffie-Hellman> parameters are " +"accepted if they are at least 2048 bits long\\&. This policy provides at " +"least 112-bit security with the exception of allowing B<SHA-1> signatures in " +"DNSSec where they are still prevalent\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Signature algorithms: with B<SHA-224> hash or better (no B<DSA>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "The B<NEXT> policy is just an alias to the B<DEFAULT> policy\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"A conservative security policy that is believed to withstand any near-term " +"future attacks at the expense of interoperability\\&. It may prevent " +"communication with many commonly used systems that only offer weaker " +"security\\&. This policy does not allow the use of B<SHA-1> in signature " +"algorithms\\&. The policy also provides some (not complete) preparation for " +"post-quantum encryption support in form of 256-bit symmetric encryption " +"requirement\\&. The B<RSA> and B<Diffie-Hellman> parameters are accepted if " +"larger than 3071 bits\\&. This policy provides at least 128-bit security\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<BSI>" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"A security policy based on recommendations by the german government agency " +"BSI (Bundesamt fuer Sicherheit in der Informationstechnik, translated as " +"\"agency for security in software technology\") in its ruleset BSI TR 02102 " +"(TR - technical recommendation)\\&. The BSI TR 02102 standard is updated in " +"regular intervals\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "" +"This policy does not allow the use of *SHA-1* in signature algorithms\n" +"(except *DNSSEC* and *RPM*)\\&.\n" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "" +"The policy also provides some (not complete) preparation for\n" +"post-quantum encryption support in form of 256-bit symmetric encryption\n" +"requirement\\&.\n" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "" +"The *RSA* parameters are accepted if larger than 2047 bits, and\n" +"*Diffie-Hellman* parameters are accepted if larger than 3071 bits\\&.\n" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "" +"This policy provides at least 128-bit security, excepting the transition\n" +"of *RSA*\\&.\n" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "MACs: all B<HMAC> with B<SHA-256> or better + all modern MACs" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "non-TLS Ciphers: same as B<TLS> ciphers with added non AE ciphers" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<RSA> keys size: E<gt>= 2048 (until end of 2023, then it will switch to " +"3072)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "" +"Note that compared to others profiles *Chacha20* and *Camellia* are not\n" +"recommended by the BSI\\&.\n" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"A policy to aid conformance to the B<FIPS 140> requirements\\&. This policy " +"is used internally by the B<fips-mode-setup(8)> tool which can switch the " +"system into the B<FIPS 140> mode\\&. This policy provides at least 112-bit " +"security\\&." +msgstr "" + +#. type: SH +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "CRYPTO POLICY DEFINITION FORMAT" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The crypto policy definition files have a simple syntax following an B<INI> " +"file I<key> = I<value> syntax with these particular features:" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Value types for integer options can be decimal integers (I<option = 1>)\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Multiple-choice options can be specified by setting them to a list of values " +"(I<option = value1 value2>)\\&. This list can further be altered by " +"prepending/omitting/appending values (I<option = >I<prepended -omitted " +"appended>)\\&. A follow-up reassignment will reset the list\\&. The latter " +"syntax cannot be combined with the former one in the same directive\\&. " +"Setting an option to an empty list is possible with I<option =>\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Asterisk sign can be used for wildcard matching as a shortcut for specifying " +"multiple values when setting multiple-choice options\\&. Note that wildcard " +"matching can lead to future updates implicitly enabling algorithms not yet " +"available in the current version\\&. If this is a concern, do not use " +"wildcard-matching outside of algorithm-omitting directives\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"In order to limit the scope of the directive and make it affect just some of " +"the backends, the following extended syntax can be used: I<option@scope = " +"\\&...>, I<option@{scope1,scope2,\\&...} = \\&...>\\&. Negation of scopes is " +"possible with I<option@!scope> / \\*(Aqoption@{scope1,scope2,\\&...}\\&. " +"Scope selectors are case-insensitive\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "The available options are:" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<group>: List of allowed groups or elliptic curves for key exchanges for " +"use with other protocols" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<protocol>: List of allowed TLS, DTLS and IKE protocol versions; mind that " +"some backends do not allow selectively disabling protocols versions and only " +"use the oldest version as the lower boundary\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<arbitrary_dh_groups>: Value of 1 if arbitrary group in B<Diffie-Hellman> " +"is allowed, 0 otherwise" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<ssh_certs>: Value of 1 if B<OpenSSH> certificate authentication is " +"allowed, 0 otherwise" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"B<etm>: B<ANY>/B<DISABLE_ETM>/B<DISABLE_NON_ETM> allows both EtM (Encrypt-" +"then-Mac) and E&M (Encrypt-and-Mac), disables EtM, and disables E&M " +"respectively\\&. (Currently only implemented for SSH, do not use without " +"B<@SSH> scope\\&.)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Full policy definition files have suffix \\&.pol, subpolicy files have " +"suffix \\&.pmod\\&. Subpolicies do not have to have values set for all the " +"keys listed above\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The effective configuration of a policy with subpolicies applied is the same " +"as a configuration from a single policy obtained by concatenating the policy " +"and the subpolicies in question\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<Policy file placement and naming:>" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The policy files shipped in packages are placed in /usr/share/crypto-" +"policies/policies and the subpolicies in /usr/share/crypto-policies/policies/" +"modules\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Locally configured policy files should be placed in /etc/crypto-policies/" +"policies and subpolicies in /etc/crypto-policies/policies/modules\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The policy and subpolicy files must have names in upper-case except for the " +"\\&.pol and \\&.pmod suffix as the update-crypto-policies command always " +"converts the policy name to upper-case before searching for the policy on " +"the filesystem\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"This command manages the policies available to the various cryptographic " +"back ends and allows the system administrator to change the active " +"cryptographic policy\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"This command allows the system administrator to enable, or disable the " +"system FIPS mode and also apply the B<FIPS> cryptographic policy which " +"limits the allowed algorithms and protocols to these allowed by the FIPS 140 " +"requirements\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<Known notable exceptions>" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"If the system administrator changes the system-wide policy with the B<update-" +"crypto-policies(8)> command it is advisable to restart the system as the " +"individual back-end libraries read the configuration files usually during " +"their initialization\\&. The changes in the policy thus take place in most " +"cases only when the applications using the back-end libraries are " +"restarted\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<Cipher suites and protocols disabled in all predefined policies>" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The following ciphersuites and protocols are available but disabled in all " +"predefined crypto policies:" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<RC4>" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "B<Notable irregularities in the individual configuration generators>" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<OpenSSL> and B<NSS>: Disabling all TLS and/or all DTLS versions isn\\(cqt " +"actually possible\\&. Trying to do so will result in the library defaults " +"being applied instead\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<OpenSSL>: The minimum length of the keys and some other parameters are " +"enforced by the @SECLEVEL value which does not provide a fine " +"granularity\\&. The list of B<TLS> ciphers is not generated as an exact list " +"but by subtracting from all the supported ciphers for the enabled key " +"exchange methods\\&. For that reason there is no way to disable a random " +"cipher\\&. In particular all B<AES-128> ciphers are disabled if the " +"B<AES-128-GCM> is not present in the list; all B<AES-256> ciphers are " +"disabled if the B<AES-256-GCM> is not present\\&. The B<CBC> ciphers are " +"disabled if there isn\\(cqt B<HMAC-SHA1> in the hmac list and B<AES-256-CBC> " +"in the cipher list\\&. To disable the B<CCM> ciphers both B<AES-128-CCM> and " +"B<AES-256-CCM> must not be present in the cipher list\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<GnuTLS>: The minimum length of the keys and some other parameters are " +"enforced by min-verification-profile setting in the B<GnuTLS> configuration " +"file which does not provide fine granularity\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<GnuTLS>: PSK key exchanges have to be explicitly enabled by the " +"applications using them\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<GnuTLS>: HMAC-SHA2-256 and HMAC-SHA2-384 MACs are disabled due to concerns " +"over the constant-timedness of the implementation\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<OpenSSH>: B<DH> group 1 is always disabled on server even if the policy " +"allows 1024 bit B<DH> groups in general\\&. The OpenSSH configuration option " +"HostKeyAlgorithms is set only for the B<SSH> server as otherwise the " +"handling of the existing known hosts entries would be broken on client\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<Libreswan>: The B<key_exchange> parameter does not affect the generated " +"configuration\\&. The use of regular B<DH> or B<ECDH> can be limited with " +"appropriate setting of the B<group> parameter\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<Sequoia>: only B<hash_algorithms>, B<symmetric_algorithms> and " +"B<asymmetric_algorithms> are controlled by crypto-policies\\&. " +"B<asymmetric_algorithms> is not controlled directly, but deduced from " +"B<sign> and B<group>\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<NSS>: order of B<group> values is ignored and built-in order is used " +"instead\\&." +msgstr "" + +#. type: SH +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +#, no-wrap +msgid "HISTORY" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The B<ECDHE-GSS> and B<DHE-GSS> algorithms are newly introduced and must be " +"specified in the base policy for the SSH GSSAPI key exchange methods to be " +"enabled\\&. Previously the legacy SSH GSSAPI key exchange methods were " +"automatically enabled when the B<SHA1> hash and B<DH> parameters of at least " +"2048 bits were enabled\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Before the introduction of the B<custom crypto policies> support it was " +"possible to have an completely arbitrary crypto policy created as a set of " +"arbitrary back-end config files in /usr/share/crypto-policies/" +"E<lt>POLICYNAMEE<gt> directory\\&. With the introduction of the B<custom " +"crypto policies> it is still possible but there must be an empty (possibly " +"with any comment lines) E<lt>POLICYNAMEE<gt>\\&.pol file in /usr/share/" +"crypto-policies/policies so the update-crypto-policies command can recognize " +"the arbitrary custom policy\\&. No subpolicies must be used with such an " +"arbitrary custom policy\\&. Modifications from B<local\\&.d> will be " +"appended to the files provided by the policy\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The use of the following historaically available options is discouraged:" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<min_tls_version>: Lowest allowed TLS protocol version (recommended " +"replacement: B<protocol@TLS>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<min_dtls_version>: Lowest allowed DTLS protocol version (recommended " +"replacement: B<protocol@TLS>)" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "The following options are deprecated, please rewrite your policies:" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<ike_protocol>: List of allowed IKE protocol versions (recommended " +"replacement: B<protocol@IKE>, mind the relative position to other " +"B<protocol> directives)\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<tls_cipher>: list of allowed symmetric encryption algorithms for use with " +"the TLS protocol (recommended replacement: B<cipher@TLS>, mind the relative " +"position to other B<cipher> directives)\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<ssh_cipher>: list of allowed symmetric encryption algorithms for use with " +"the SSH protocol (recommended replacement: B<cipher@SSH>, mind the relative " +"position to other B<cipher> directives)\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<ssh_group>: list of allowed groups or elliptic curves for key exchanges " +"for use with the SSH protocol (recommended replacement: B<group@SSH>, mind " +"the relative position to other B<group> directives)\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"B<sha1_in_dnssec>: Allow B<SHA1> usage in DNSSec protocol even if it is not " +"present in the B<hash> and B<sign> lists (recommended replacements: " +"B<hash@DNSSec>, B<sign@DNSSec>)\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron +msgid "" +"B<ssh_etm>: Value of 1 if B<OpenSSH> EtM (encrypt-then-mac) extension is " +"allowed, 0 otherwise\\&. Use B<etm@SSH> instead\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"The individual cryptographical back-end configuration files\\&. Usually " +"linked to the configuration shipped in the crypto-policies package unless a " +"configuration from local\\&.d is added\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"A file containing the name of the active crypto-policy set on the system\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Additional configuration shipped by other packages or created by the system " +"administrator\\&. The contents of the E<lt>back-endE<gt>-file\\&.config is " +"appended to the configuration from the policy back end as shipped in the " +"crypto-policies package\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/usr/share/crypto-policies/policies" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "System policy definition files\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/usr/share/crypto-policies/policies/modules" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "System subpolicy definition files\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/etc/crypto-policies/policies" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Custom policy definition files as configured by the system administrator\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/etc/crypto-policies/policies/modules" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "" +"Custom subpolicy definition files as configured by the system " +"administrator\\&." +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "/usr/share/crypto-policies/E<lt>\\*(AqPOLICYNAME\\*(AqE<gt>" +msgstr "" + +#. type: Plain text +#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed +msgid "Pre-generated back-end configurations for policy I<POLICYNAME>\\&." +msgstr "" + +#. type: TH +#: mageia-cauldron +#, no-wrap +msgid "11/28/2023" +msgstr "" + +#. type: TH +#: opensuse-tumbleweed +#, no-wrap +msgid "09/22/2023" +msgstr "" + +#. type: Plain text +#: opensuse-tumbleweed +msgid "" +"B<ssh_etm>: Value of 1 if B<OpenSSH> EtM (encrypt-then-mac) extension is " +"allowed, 0 otherwise" +msgstr "" |