# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2024-06-01 05:46+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: TH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "CRYPTO-POLICIES"
msgstr ""

#. type: TH
#: debian-unstable
#, no-wrap
msgid "08/24/2019"
msgstr ""

#. type: TH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "crypto-policies"
msgstr ""

#. type: TH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "\\ \""
msgstr ""

#.  -----------------------------------------------------------------
#.  * MAIN CONTENT STARTS HERE *
#.  -----------------------------------------------------------------
#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "NAME"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "crypto-policies - system-wide crypto policies overview"
msgstr ""

#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "DESCRIPTION"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The security of cryptographic components of the operating system does not "
"remain constant over time\\&. Algorithms, such as cryptographic hashing and "
"encryption, typically have a lifetime, after which they are considered "
"either too risky to use or plain insecure\\&. That means, we need to phase "
"out such algorithms from the default settings or completely disable them if "
"they could cause an irreparable problem\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"While in the past the algorithms were not disabled in a consistent way and "
"different applications applied different policies, the system-wide crypto-"
"policies followed by the crypto core components allow consistently "
"deprecating and disabling algorithms system-wide\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The individual policy levels (B<DEFAULT>, B<LEGACY>, B<FUTURE>, and B<FIPS>) "
"are included in the B<crypto-policies(7)> package\\&. In the future, there "
"will be also a mechanism for easy creation and deployment of policies "
"defined by the system administrator or a third party vendor\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"For rationale, see B<RFC 7457> for a list of attacks taking advantage of "
"legacy crypto algorithms\\&."
msgstr ""

#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "COVERED APPLICATIONS"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Crypto-policies apply to the configuration of the core cryptographic "
"subsystems, covering B<TLS>, B<IKE>, B<IPSec>, B<DNSSec>, and B<Kerberos> "
"protocols; i\\&.e\\&., the supported secure communications protocols on the "
"base operating system\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Once an application runs in the operating system, it follows the default or "
"selected policy and refuses to fall back to algorithms and protocols not "
"within the policy, unless the user has explicitly requested the application "
"to do so\\&. That is, the policy applies to the default behavior of "
"applications when running with the system-provided configuration but the "
"user can override it on an application-specific basis\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The policies currently provide settings for these applications and libraries:"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<BIND> DNS name server daemon"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<GnuTLS> TLS library"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<OpenJDK> runtime environment"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<Kerberos 5> library"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<Libreswan> IPsec and IKE protocol implementation"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<NSS> TLS library"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<OpenSSH> SSH2 protocol implementation"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<OpenSSL> TLS library"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<libssh> SSH2 protocol implementation"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications using the above libraries and tools are covered by the "
"cryptographic policies unless they are explicitly configured not to be so\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "PROVIDED POLICY LEVELS"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<LEGACY>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"This policy ensures maximum compatibility with legacy systems; it is less "
"secure and it includes support for B<TLS 1\\&.0>, B<TLS 1\\&.1>, and B<SSH2> "
"protocols or later\\&. The algorithms B<DSA>, B<3DES>, and B<RC4> are "
"allowed, while B<RSA> and B<Diffie-Hellman> parameters are accepted if "
"larger than 1023 bits\\&. The level provides at least 64-bit security\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"MACs: all B<HMAC> with B<SHA-1> or better + all modern MACs (B<Poly1305> "
"etc\\&.)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Curves: all prime E<gt>= 255 bits (including Bernstein curves)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Signature algorithms: with B<SHA1> hash or better (B<DSA> allowed)"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"B<TLS> Ciphers: all available E<gt>= 112-bit key, E<gt>= 128-bit block "
"(including B<RC4> and B<3DES>)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Non-TLS Ciphers: same as B<TLS> ciphers with added B<Camellia>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Key exchange: B<ECDHE>, B<RSA>, B<DHE>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<DH> params size: E<gt>= 1023"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<RSA> keys size: E<gt>= 1023"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<DSA> params size: E<gt>= 1023"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<TLS> protocols: B<TLS> E<gt>= 1\\&.0, B<DTLS> E<gt>= 1\\&.0"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<DEFAULT>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The B<DEFAULT> policy is a reasonable default policy for today\\(cqs "
"standards\\&. It allows the B<TLS 1\\&.0>, B<TLS 1\\&.1>, B<TLS 1\\&.2>, and "
"B<TLS 1\\&.3> protocols, as well as B<IKEv2> and B<SSH2>\\&. The B<Diffie-"
"Hellman> parameters are accepted if they are at least 1023 bits long\\&. The "
"level provides at least 80-bit security\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "Signature algorithms: with B<SHA-1> hash or better (no B<DSA>)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<TLS> Ciphers: E<gt>= 128-bit key, E<gt>= 128-bit block (B<AES>, "
"B<ChaCha20>, including B<AES-CBC>)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "non-TLS Ciphers: as B<TLS> Ciphers with added B<Camellia>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "key exchange: B<ECDHE>, B<RSA>, B<DHE> (no B<DHE-DSS>)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<RSA> keys size: E<gt>= 2048"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<NEXT>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The B<NEXT> policy is a policy prepared for the upcoming release of the "
"operating system so it can be easily tested\\&. It allows the B<TLS 1\\&.2> "
"and B<TLS 1\\&.3> protocols, as well as B<IKEv2> and B<SSH2>\\&. The B<RSA> "
"and B<Diffie-Hellman> parameters are accepted if larger than 2047 bits\\&. "
"The level provides at least 112-bit security with the exception of B<SHA-1> "
"signatures needed for B<DNSSec> and other still prevalent legacy use of "
"B<SHA-1> signatures\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<DH> params size: E<gt>= 2048"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<TLS> protocols: B<TLS> E<gt>= 1\\&.2, B<DTLS> E<gt>= 1\\&.2"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<FUTURE>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"A conservative security level that is believed to withstand any near-term "
"future attacks\\&. This level does not allow the use of B<SHA-1> in "
"signature algorithms\\&. The level also provides some (not complete) "
"preparation for post-quantum encryption support in form of 256-bit symmetric "
"encryption requirement\\&. The B<RSA> and B<Diffie-Hellman> parameters are "
"accepted if larger than 3071 bits\\&. The level provides at least 128-bit "
"security\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"MACs: all B<HMAC> with B<SHA-256> or better + all modern MACs (B<Poly1305> "
"etc\\&.)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Signature algorithms: with B<SHA-256> hash or better (no B<DSA>)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<TLS> Ciphers: E<gt>= 256-bit key, E<gt>= 128-bit block, only Authenticated "
"Encryption (AE) ciphers"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"non-TLS Ciphers: same as B<TLS> ciphers with added non AE ciphers and "
"B<Camellia>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "key exchange: B<ECDHE>, B<DHE> (no B<DHE-DSS>, no B<RSA>)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<DH> params size: E<gt>= 3072"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<RSA> keys size: E<gt>= 3072"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<FIPS>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"A level that conforms to the B<FIPS 140-2> requirements\\&. This policy is "
"used internally by the B<fips-mode-setup(8)> tool which can switch the "
"system into the B<FIPS 140-2> compliance mode\\&. The level provides at "
"least 112-bit security\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "MACs: all B<HMAC> with B<SHA1> or better"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Curves: all prime E<gt>= 256 bits"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<TLS> Ciphers: E<gt>= 128-bit key, E<gt>= 128-bit block (B<AES>, including "
"B<AES-CBC>)"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "non-TLS Ciphers: same as B<TLS> Ciphers"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<RSA> params size: E<gt>= 2048"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<EMPTY>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"All cryptographic algorithms are disabled (used for debugging only, do not "
"use)\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "CRYPTO POLICY DEFINITON FORMAT"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The crypto policy definiton files have a simple syntax following an B<INI> "
"file B<key> = B<value> syntax with these particular features:"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Comments are indicated by I<#> character\\&. Everything on the line "
"following the character is ignored\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Backslash I<\\e> character followed immediately with the end-of-line "
"character indicates line continuation\\&. The following line is concatenated "
"to the current line after the backslash and end-of-line characters are "
"removed\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Value types can be either decimal integers, arbitrary strings, or lists of "
"strings without whitespace characters separated by any number of "
"whitespaces\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "The allowed keys are:"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<mac>: List of allowed MAC algorithms"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<group>: List of allowed groups or elliptic curves for key exchanges"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<hash>: List of allowed cryptographic hash (message digest) algorithms"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<sign>: List of allowed signature algorithms"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"B<tls_cipher>: List of allowed symmetric encryption algorithms (including "
"the modes) for use with the TLS protocol"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<cipher>: List of allowed symmetric encryption algorithms (including the "
"modes) for use with other protocols"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<key_exchange>: List of allowed key exchange algorithms"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<protocol>: List of allowed TLS and DTLS protocol versions"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<ike_protocol>: List of allowed IKE protocol versions"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<min_tls_version>: Lowest allowed TLS protocol version"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<min_dtls_version>: Lowest allowed DTLS protocol version"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<min_dh_size>: Integer value of minimum number of bits of parameters for "
"B<DH> key exchange"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<min_dsa_size>: Integer value of minimum number of bits for B<DSA> keys"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<min_rsa_size>: Integer value of minimum number of bits for B<RSA> keys"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<sha1_in_certs>: Value of 1 if B<SHA1> allowed in certificate signatures, 0 "
"otherwise (Applies to B<GnuTLS> back end only\\&.)"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The full policy definition files have suffix I<\\&.pol>, the policy module "
"definition files have suffix I<\\&.pmod>\\&. The policy module files do not "
"have to have values set for all the keys listed above\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The lists as set in the base (full policy) are modified by the lists "
"specified in the module files in following way:"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"B<->I<list-item>: The I<list-item> is removed from the list specified in the "
"base policy\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"B<+>I<list-item>: The I<list-item> is inserted at the beginning of the list "
"specified in the base policy\\&. The inserts are done in the order of "
"appearance in the policy module file so the actual order in the final list "
"will be reversed\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"I<list-item> or I<list-item>B<+>: The list-item is appended to the end of "
"the list specified in the base policy\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Non-list key values in the policy module files are simply overridden\\&."
msgstr ""

#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "COMMANDS"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<update-crypto-policies(8)>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"This command manages the policies available to the various cryptographic "
"back ends and allows the system administrator to change the active "
"cryptographic policy level\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<fips-mode-setup(8)>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"This command allows the system administrator to enable, or disable the "
"system FIPS mode and also apply the B<FIPS> cryptographic policy level which "
"limits the allowed algorithms and protocols to these allowed by the FIPS "
"140-2 requirements\\&."
msgstr ""

#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "NOTES"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<Exceptions:>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<Go-language> applications do not yet follow the system-wide policy\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<GnuPG-2> application does not follow the system-wide policy\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"In general only the data-in-transit is currently covered by the system-wide "
"policy\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"If the system administrator changes the system-wide policy level with the "
"B<update-crypto-policies(8)> command it is advisable to restart the system "
"as the individual back-end libraries read the configuration files usually "
"during their initialization\\&. The changes in the policy level thus take "
"place in most cases only when the applications using the back-end libraries "
"are restarted\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<Removed cipher suites and protocols>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The following cipher suites and protocols are completely removed from the "
"core cryptographic libraries listed above:"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<DES>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "All export grade cipher suites"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<MD5> in signatures"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<SSLv2>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<SSLv3>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "All B<ECC> curves smaller than 224 bits"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "All binary field B<ECC> curves"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<Cipher suites and protocols disabled in all policy levels>"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The following ciphersuites and protocols are available but disabled in all "
"crypto policy levels\\&. They can be enabled only by explicit configuration "
"of individual applications:"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<DH> with parameters E<lt> 1024 bits"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<RSA> with key size E<lt> 1024 bits"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<Camellia>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<ARIA>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<SEED>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<IDEA>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Integrity only ciphersuites"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<TLS> B<CBC mode> ciphersuites using B<SHA-384> HMAC"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<AES-CCM8>"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "all B<ECC> curves incompatible with B<TLS 1\\&.3>, including secp256k1"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<IKEv1>"
msgstr ""

#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "FILES"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/etc/crypto-policies/back-ends"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The individual cryptographical back-end configuration files\\&. Usually "
"linked to the configuration shipped in the crypto-policies package unless a "
"configuration from B<local\\&.d> is added\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/etc/crypto-policies/config"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "The active crypto-policies level set on the system\\&."
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/etc/crypto-policies/local\\&.d"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Additional configuration shipped by other packages or created by the system "
"administrator\\&. The contents of the B<E<lt>back-endE<gt>-file\\&.config> "
"is appended to the configuration from the policy back end as shipped in the "
"crypto-policies package\\&."
msgstr ""

#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "SEE ALSO"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "update-crypto-policies(8), fips-mode-setup(8)"
msgstr ""

#. type: SH
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "AUTHOR"
msgstr ""

#. type: Plain text
#: debian-unstable fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Written by Tomáš Mráz\\&."
msgstr ""

#. type: TH
#: fedora-40
#, no-wrap
msgid "03/02/2024"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Several preconfigured policies (B<DEFAULT>, B<LEGACY>, B<FUTURE>, and "
"B<FIPS>) and subpolicies are included in the B<crypto-policies(7)> "
"package\\&. System administrators or third-party vendors can define custom "
"policies and subpolicies\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The recommended way to modify the effective configuration is to apply a "
"custom subpolicy on top of a predefined policy\\&. This allows configuration "
"to evolve with future updates of the predefined policies keeping desired "
"modification in place\\&. Modifying effective configuration by defining a "
"fully custom policy prevents the configuration from evolving with future "
"updates of the predefined policies\\&. The syntax to define custom policies "
"and subpolicies is described in the CRYPTO POLICY DEFINITION FORMAT section "
"below\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<BIND> DNS name server daemon (scopes: B<BIND>, B<DNSSec>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<GnuTLS> TLS library (scopes: B<GnuTLS>, B<SSL>, B<TLS>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<OpenJDK> runtime environment (scopes: B<java-tls>, B<SSL>, B<TLS>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<Kerberos 5> library (scopes: B<krb5>, B<Kerberos>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<Libreswan> IPsec and IKE protocol implementation (scopes: B<libreswan>, "
"B<IPSec>, B<IKE>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<NSS> TLS library (scopes: B<NSS>, B<SSL>, B<TLS>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<OpenSSH> SSH2 protocol implementation (scopes: B<OpenSSH>, B<SSH>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<OpenSSL> TLS library (scopes: B<OpenSSL>, B<SSL>, B<TLS>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<libssh> SSH2 protocol implementation (scopes: B<libssh>, B<SSH>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<sequoia> PGP implementation, for usage outside of rpm-sequoia (scopes: "
"B<sequoia>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<rpm-sequoia> RPM Sequoia PGP backend (scopes: B<rpm>, B<rpm-sequoia>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Applications using the above libraries and tools are covered by the "
"cryptographic policies unless they are explicitly configured otherwise\\&."
msgstr ""

#. type: SH
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "PROVIDED POLICIES"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"This policy ensures maximum compatibility with legacy systems; it is less "
"secure and it includes support for B<TLS 1\\&.0>, B<TLS 1\\&.1>, and B<SSH2> "
"protocols or later\\&. The algorithms B<DSA> and B<3DES> are allowed, while "
"B<RSA> and B<Diffie-Hellman> parameters are accepted if larger than 1024 "
"bits\\&. This policy provides at least 64-bit security\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<TLS> Ciphers: all available E<gt>= 112-bit key, E<gt>= 128-bit block "
"(including B<3DES>, excluding B<RC4>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<DH> params size: E<gt>= 1024"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<RSA> keys size: E<gt>= 1024"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<DSA> params size: E<gt>= 1024"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The B<DEFAULT> policy is a reasonable default policy for today\\(cqs "
"standards\\&. It allows the B<TLS 1\\&.2>, and B<TLS 1\\&.3> protocols, as "
"well as B<IKEv2> and B<SSH2>\\&. The B<Diffie-Hellman> parameters are "
"accepted if they are at least 2048 bits long\\&. This policy provides at "
"least 112-bit security with the exception of allowing B<SHA-1> signatures in "
"DNSSec where they are still prevalent\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Signature algorithms: with B<SHA-224> hash or better (no B<DSA>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "The B<NEXT> policy is just an alias to the B<DEFAULT> policy\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"A conservative security policy that is believed to withstand any near-term "
"future attacks at the expense of interoperability\\&. It may prevent "
"communication with many commonly used systems that only offer weaker "
"security\\&. This policy does not allow the use of B<SHA-1> in signature "
"algorithms\\&. The policy also provides some (not complete) preparation for "
"post-quantum encryption support in form of 256-bit symmetric encryption "
"requirement\\&. The B<RSA> and B<Diffie-Hellman> parameters are accepted if "
"larger than 3071 bits\\&. This policy provides at least 128-bit security\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<BSI>"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"A security policy based on recommendations by the german government agency "
"BSI (Bundesamt fuer Sicherheit in der Informationstechnik, translated as "
"\"agency for security in software technology\") in its ruleset BSI TR 02102 "
"(TR - technical recommendation)\\&. The BSI TR 02102 standard is updated in "
"regular intervals\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid ""
"This policy does not allow the use of *SHA-1* in signature algorithms\n"
"(except *DNSSEC* and *RPM*)\\&.\n"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid ""
"The policy also provides some (not complete) preparation for\n"
"post-quantum encryption support in form of 256-bit symmetric encryption\n"
"requirement\\&.\n"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid ""
"The *RSA* parameters are accepted if larger than 2047 bits, and\n"
"*Diffie-Hellman* parameters are accepted if larger than 3071 bits\\&.\n"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid ""
"This policy provides at least 128-bit security, excepting the transition\n"
"of *RSA*\\&.\n"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "MACs: all B<HMAC> with B<SHA-256> or better + all modern MACs"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "non-TLS Ciphers: same as B<TLS> ciphers with added non AE ciphers"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<RSA> keys size: E<gt>= 2048 (until end of 2023, then it will switch to "
"3072)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid ""
"Note that compared to others profiles *Chacha20* and *Camellia* are not\n"
"recommended by the BSI\\&.\n"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"A policy to aid conformance to the B<FIPS 140> requirements\\&. This policy "
"is used internally by the B<fips-mode-setup(8)> tool which can switch the "
"system into the B<FIPS 140> mode\\&. This policy provides at least 112-bit "
"security\\&."
msgstr ""

#. type: SH
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "CRYPTO POLICY DEFINITION FORMAT"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The crypto policy definition files have a simple syntax following an B<INI> "
"file I<key> = I<value> syntax with these particular features:"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Value types for integer options can be decimal integers (I<option = 1>)\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Multiple-choice options can be specified by setting them to a list of values "
"(I<option = value1 value2>)\\&. This list can further be altered by "
"prepending/omitting/appending values (I<option = >I<prepended -omitted "
"appended>)\\&. A follow-up reassignment will reset the list\\&. The latter "
"syntax cannot be combined with the former one in the same directive\\&. "
"Setting an option to an empty list is possible with I<option =>\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Asterisk sign can be used for wildcard matching as a shortcut for specifying "
"multiple values when setting multiple-choice options\\&. Note that wildcard "
"matching can lead to future updates implicitly enabling algorithms not yet "
"available in the current version\\&. If this is a concern, do not use "
"wildcard-matching outside of algorithm-omitting directives\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"In order to limit the scope of the directive and make it affect just some of "
"the backends, the following extended syntax can be used: I<option@scope = "
"\\&...>, I<option@{scope1,scope2,\\&...} = \\&...>\\&. Negation of scopes is "
"possible with I<option@!scope> / \\*(Aqoption@{scope1,scope2,\\&...}\\&. "
"Scope selectors are case-insensitive\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "The available options are:"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<group>: List of allowed groups or elliptic curves for key exchanges for "
"use with other protocols"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<protocol>: List of allowed TLS, DTLS and IKE protocol versions; mind that "
"some backends do not allow selectively disabling protocols versions and only "
"use the oldest version as the lower boundary\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<arbitrary_dh_groups>: Value of 1 if arbitrary group in B<Diffie-Hellman> "
"is allowed, 0 otherwise"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<ssh_certs>: Value of 1 if B<OpenSSH> certificate authentication is "
"allowed, 0 otherwise"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"B<etm>: B<ANY>/B<DISABLE_ETM>/B<DISABLE_NON_ETM> allows both EtM (Encrypt-"
"then-Mac) and E&M (Encrypt-and-Mac), disables EtM, and disables E&M "
"respectively\\&. (Currently only implemented for SSH, do not use without "
"B<@SSH> scope\\&.)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Full policy definition files have suffix \\&.pol, subpolicy files have "
"suffix \\&.pmod\\&. Subpolicies do not have to have values set for all the "
"keys listed above\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The effective configuration of a policy with subpolicies applied is the same "
"as a configuration from a single policy obtained by concatenating the policy "
"and the subpolicies in question\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<Policy file placement and naming:>"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The policy files shipped in packages are placed in /usr/share/crypto-"
"policies/policies and the subpolicies in /usr/share/crypto-policies/policies/"
"modules\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Locally configured policy files should be placed in /etc/crypto-policies/"
"policies and subpolicies in /etc/crypto-policies/policies/modules\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The policy and subpolicy files must have names in upper-case except for the "
"\\&.pol and \\&.pmod suffix as the update-crypto-policies command always "
"converts the policy name to upper-case before searching for the policy on "
"the filesystem\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"This command manages the policies available to the various cryptographic "
"back ends and allows the system administrator to change the active "
"cryptographic policy\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"This command allows the system administrator to enable, or disable the "
"system FIPS mode and also apply the B<FIPS> cryptographic policy which "
"limits the allowed algorithms and protocols to these allowed by the FIPS 140 "
"requirements\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<Known notable exceptions>"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"If the system administrator changes the system-wide policy with the B<update-"
"crypto-policies(8)> command it is advisable to restart the system as the "
"individual back-end libraries read the configuration files usually during "
"their initialization\\&. The changes in the policy thus take place in most "
"cases only when the applications using the back-end libraries are "
"restarted\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<Cipher suites and protocols disabled in all predefined policies>"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The following ciphersuites and protocols are available but disabled in all "
"predefined crypto policies:"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<RC4>"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "B<Notable irregularities in the individual configuration generators>"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<OpenSSL> and B<NSS>: Disabling all TLS and/or all DTLS versions isn\\(cqt "
"actually possible\\&. Trying to do so will result in the library defaults "
"being applied instead\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<OpenSSL>: The minimum length of the keys and some other parameters are "
"enforced by the @SECLEVEL value which does not provide a fine "
"granularity\\&. The list of B<TLS> ciphers is not generated as an exact list "
"but by subtracting from all the supported ciphers for the enabled key "
"exchange methods\\&. For that reason there is no way to disable a random "
"cipher\\&. In particular all B<AES-128> ciphers are disabled if the "
"B<AES-128-GCM> is not present in the list; all B<AES-256> ciphers are "
"disabled if the B<AES-256-GCM> is not present\\&. The B<CBC> ciphers are "
"disabled if there isn\\(cqt B<HMAC-SHA1> in the hmac list and B<AES-256-CBC> "
"in the cipher list\\&. To disable the B<CCM> ciphers both B<AES-128-CCM> and "
"B<AES-256-CCM> must not be present in the cipher list\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<GnuTLS>: The minimum length of the keys and some other parameters are "
"enforced by min-verification-profile setting in the B<GnuTLS> configuration "
"file which does not provide fine granularity\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<GnuTLS>: PSK key exchanges have to be explicitly enabled by the "
"applications using them\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<GnuTLS>: HMAC-SHA2-256 and HMAC-SHA2-384 MACs are disabled due to concerns "
"over the constant-timedness of the implementation\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<OpenSSH>: B<DH> group 1 is always disabled on server even if the policy "
"allows 1024 bit B<DH> groups in general\\&. The OpenSSH configuration option "
"HostKeyAlgorithms is set only for the B<SSH> server as otherwise the "
"handling of the existing known hosts entries would be broken on client\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<Libreswan>: The B<key_exchange> parameter does not affect the generated "
"configuration\\&. The use of regular B<DH> or B<ECDH> can be limited with "
"appropriate setting of the B<group> parameter\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<Sequoia>: only B<hash_algorithms>, B<symmetric_algorithms> and "
"B<asymmetric_algorithms> are controlled by crypto-policies\\&.  "
"B<asymmetric_algorithms> is not controlled directly, but deduced from "
"B<sign> and B<group>\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<NSS>: order of B<group> values is ignored and built-in order is used "
"instead\\&."
msgstr ""

#. type: SH
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
#, no-wrap
msgid "HISTORY"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The B<ECDHE-GSS> and B<DHE-GSS> algorithms are newly introduced and must be "
"specified in the base policy for the SSH GSSAPI key exchange methods to be "
"enabled\\&. Previously the legacy SSH GSSAPI key exchange methods were "
"automatically enabled when the B<SHA1> hash and B<DH> parameters of at least "
"2048 bits were enabled\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Before the introduction of the B<custom crypto policies> support it was "
"possible to have an completely arbitrary crypto policy created as a set of "
"arbitrary back-end config files in /usr/share/crypto-policies/"
"E<lt>POLICYNAMEE<gt> directory\\&. With the introduction of the B<custom "
"crypto policies> it is still possible but there must be an empty (possibly "
"with any comment lines) E<lt>POLICYNAMEE<gt>\\&.pol file in /usr/share/"
"crypto-policies/policies so the update-crypto-policies command can recognize "
"the arbitrary custom policy\\&. No subpolicies must be used with such an "
"arbitrary custom policy\\&. Modifications from B<local\\&.d> will be "
"appended to the files provided by the policy\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The use of the following historaically available options is discouraged:"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<min_tls_version>: Lowest allowed TLS protocol version (recommended "
"replacement: B<protocol@TLS>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<min_dtls_version>: Lowest allowed DTLS protocol version (recommended "
"replacement: B<protocol@TLS>)"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "The following options are deprecated, please rewrite your policies:"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<ike_protocol>: List of allowed IKE protocol versions (recommended "
"replacement: B<protocol@IKE>, mind the relative position to other "
"B<protocol> directives)\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<tls_cipher>: list of allowed symmetric encryption algorithms for use with "
"the TLS protocol (recommended replacement: B<cipher@TLS>, mind the relative "
"position to other B<cipher> directives)\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<ssh_cipher>: list of allowed symmetric encryption algorithms for use with "
"the SSH protocol (recommended replacement: B<cipher@SSH>, mind the relative "
"position to other B<cipher> directives)\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<ssh_group>: list of allowed groups or elliptic curves for key exchanges "
"for use with the SSH protocol (recommended replacement: B<group@SSH>, mind "
"the relative position to other B<group> directives)\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"B<sha1_in_dnssec>: Allow B<SHA1> usage in DNSSec protocol even if it is not "
"present in the B<hash> and B<sign> lists (recommended replacements: "
"B<hash@DNSSec>, B<sign@DNSSec>)\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron
msgid ""
"B<ssh_etm>: Value of 1 if B<OpenSSH> EtM (encrypt-then-mac) extension is "
"allowed, 0 otherwise\\&. Use B<etm@SSH> instead\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"The individual cryptographical back-end configuration files\\&. Usually "
"linked to the configuration shipped in the crypto-policies package unless a "
"configuration from local\\&.d is added\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"A file containing the name of the active crypto-policy set on the system\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Additional configuration shipped by other packages or created by the system "
"administrator\\&. The contents of the E<lt>back-endE<gt>-file\\&.config is "
"appended to the configuration from the policy back end as shipped in the "
"crypto-policies package\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/usr/share/crypto-policies/policies"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "System policy definition files\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/usr/share/crypto-policies/policies/modules"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "System subpolicy definition files\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/etc/crypto-policies/policies"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Custom policy definition files as configured by the system administrator\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/etc/crypto-policies/policies/modules"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid ""
"Custom subpolicy definition files as configured by the system "
"administrator\\&."
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "/usr/share/crypto-policies/E<lt>\\*(AqPOLICYNAME\\*(AqE<gt>"
msgstr ""

#. type: Plain text
#: fedora-40 fedora-rawhide mageia-cauldron opensuse-tumbleweed
msgid "Pre-generated back-end configurations for policy I<POLICYNAME>\\&."
msgstr ""

#. type: TH
#: fedora-rawhide
#, no-wrap
msgid "05/21/2024"
msgstr ""

#. type: TH
#: mageia-cauldron
#, no-wrap
msgid "11/28/2023"
msgstr ""

#. type: TH
#: opensuse-tumbleweed
#, no-wrap
msgid "09/22/2023"
msgstr ""

#. type: Plain text
#: opensuse-tumbleweed
msgid ""
"B<ssh_etm>: Value of 1 if B<OpenSSH> EtM (encrypt-then-mac) extension is "
"allowed, 0 otherwise"
msgstr ""