# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2022-06-16 17:37+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: TH #: debian-unstable #, no-wrap msgid "UPDATE-CRYPTO-POLI" msgstr "" #. type: TH #: debian-unstable #, no-wrap msgid "08/24/2019" msgstr "" #. type: TH #: debian-unstable #, no-wrap msgid "update-crypto-policies" msgstr "" #. type: TH #: debian-unstable #, no-wrap msgid "\\ \"" msgstr "" #. ----------------------------------------------------------------- #. * MAIN CONTENT STARTS HERE * #. ----------------------------------------------------------------- #. type: SH #: debian-unstable #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: debian-unstable msgid "" "update-crypto-policies - manage the policies available to the various " "cryptographic back-ends\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: debian-unstable msgid "B [I]" msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: debian-unstable msgid "" "B is used to set the policy applicable for the " "various cryptographic back-ends, such as SSL/TLS libraries\\&. That will be " "the default policy used by these back-ends unless the application user " "configures them otherwise\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "The available policies are described in the B manual " "page\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "The desired system policy is selected in /etc/crypto-policies/config and " "this tool will generate the individual policy requirements for all back-ends " "that support such configuration\\&. After this tool is called the " "administrator is assured that any application that utilizes the supported " "back-ends will follow a policy that adheres to the configured profile\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Note that the above assurance does apply to the extent that applications are " "configured to follow the default policy (the details vary on the back-end, " "see below for more information)\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "The generated back-end policies will be placed in /etc/crypto-policies/back-" "ends\\&. Currently the supported back-ends are:" msgstr "" #. type: Plain text #: debian-unstable msgid "GnuTLS library" msgstr "" #. type: Plain text #: debian-unstable msgid "OpenSSL library" msgstr "" #. type: Plain text #: debian-unstable msgid "NSS library" msgstr "" #. type: Plain text #: debian-unstable msgid "OpenJDK" msgstr "" #. type: Plain text #: debian-unstable msgid "Libkrb5" msgstr "" #. type: Plain text #: debian-unstable msgid "BIND" msgstr "" #. type: Plain text #: debian-unstable msgid "OpenSSH" msgstr "" #. type: Plain text #: debian-unstable msgid "Libreswan" msgstr "" #. type: Plain text #: debian-unstable msgid "libssh" msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications and languages which rely on any of these back-ends will follow " "the system policies as well\\&. Examples are apache httpd, nginx, php, and " "others\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "In general after changing the system crypto policies with the update-crypto-" "policies --set command it is recommended to restart the system for the " "effect to fully take place as the policy configuration files are loaded on " "application start-up\\&. Otherwise applications started before the command " "was run need to be restarted to load the updated configuration\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "COMMANDS" msgstr "" #. type: Plain text #: debian-unstable msgid "The following commands are available in update-crypto-policies tool\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "--show: Shows the currently applied crypto policy" msgstr "" #. type: Plain text #: debian-unstable msgid "" "--is-applied: Returns success if the currently configured policy is already " "applied\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "--set: Sets the current policy and overwrites the config file\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "OPTIONS" msgstr "" #. type: Plain text #: debian-unstable msgid "The following options are available in update-crypto-policies tool\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "--no-check: By default this tool does a sanity check on whether the " "configured policy is accepted by the supported tools\\&. This option " "disables those checks\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "--no-reload: By default this tool causes some running applications to reload " "the configured policy\\&. This option skips the reloading\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "APPLICATION SUPPORT" msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications in the operating system that provide a default configuration " "file that includes a cryptographic policy string will be modified gradually " "to support these policies\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "When an application provides a configuration file, the changes needed to " "utilize the system-wide policy are the following\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications using GnuTLS: If an application allows the configuration of " "cipher priotities via a string, the special priority string \"@SYSTEM\" " "should replace any other priority string\\&. Applications which use the " "default library settings automatically adhere to the policy\\&. Applications " "following the policy inherit the settings for cipher suite preference, TLS " "and DTLS protocol versions, allowed elliptic curves, and limits for " "cryptographic keys\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications using OpenSSL: If an application allows the configuration of " "ciphersuite string, the special cipher string \"PROFILE=SYSTEM\" should " "replace any other cipher string\\&. Applications which use the default " "library settings automatically adhere to the policy\\&. Applications " "following the policy inherit the settings for cipher suite preference\\&. By " "default the OpenSSL library reads a configuration file when it is " "initialized\\&. If the applicaton does not override loading of the " "configuration file, the policy also sets the minimum TLS protocol version " "and default cipher suite preference via this file\\&. If the application is " "long-running such as the httpd server it has to be restarted to reload the " "configuration file after policy is changed\\&. Otherwise the changed policy " "cannot take effect\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications using NSS: Applications using NSS will load the crypto policies " "by default\\&. They inherit the settings for cipher suite preference, TLS " "and DTLS protocol versions, allowed elliptic curves, and limits for " "cryptographic keys\\&. Note that unlike OpenSSL and GnuTLS, the NSS policy " "is enforced by default; to prevent applications from adhering to the policy " "the NSS_IGNORE_SYSTEM_POLICY environment variable must be set to 1 prior to " "executing that application\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications using Java: No special treatment is required\\&. Applications " "using Java will load the crypto policies by default\\&. These applications " "will then inherit the settings for allowed cipher suites, allowed TLS and " "DTLS protocol versions, allowed elliptic curves, and limits for " "cryptographic keys\\&. To prevent openjdk applications from adhering to the " "policy the Ejava\\&.homeE/jre/lib/security/java\\&.security file " "should be edited to contain security\\&.useSystemPropertiesFile=false\\&. " "Alternatively one can create a file containing the overridden values for " "I, I and pass the location of that file to Java on the " "command line using the -Djava\\&.security\\&.properties=Epath to " "fileE\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications using libkrb5: No special treatment is required\\&. " "Applications will follow the crypto policies by default\\&. These " "applications inherit the settings for the permitted encryption types for " "tickets as well as the cryptographic key limits for the PKINIT protocol\\&. " "A system-wide opt-out is available by deleting the /etc/krb5\\&.conf\\&.d/" "crypto-policies link\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "BIND: This application inherits the set of blacklisted algorithms\\&. To opt-" "out from the policy, remove the policy include directive in the named\\&." "conf file\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "OpenSSH: Both server and client application inherits the cipher preferences, " "the key exchange algorithms as well as the GSSAPI key exchange " "algorithms\\&. To opt-out from the policy for client, override the global " "ssh_config with a user-specific configuration in ~/\\&.ssh/config\\&. See " "ssh_config(5) for more information\\&. To opt-out from the policy for " "server, uncomment the line containing CRYPTO_POLICY= in /etc/sysconfig/sshd " "\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Libreswan: Both servers and clients inherit the ESP and IKE preferences, if " "they are not overridden in the connection configuration file\\&. Note that " "due to limitations of libreswan, crypto policies is restricted to supporting " "IKEv2\\&. To opt-out from the policy, comment the line including /etc/crypto-" "policies/back-ends/libreswan\\&.config from /etc/ipsec\\&.conf\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Applications using libssh: Both client and server applications using libssh " "will load the crypto policies by default\\&. They inherit the ciphers, key " "exchange, message authentication, and signature algorithms preferences\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "POLICY CONFIGURATION" msgstr "" #. type: Plain text #: debian-unstable msgid "" "One of the supported profiles should be set in /etc/crypto-policies/config " "and this script should be run afterwards\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "In case of a parsing error no policies will be updated\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "CUSTOM POLICIES" msgstr "" #. type: Plain text #: debian-unstable msgid "" "The custom policies can take two forms\\&. First form is a full custom " "policy file which is supported by the update-crypto-policies tool in the " "same way as the policies shipped along the tool in the package\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "The second form can be called a subpolicy or policy modifier\\&. This form " "modifies aspects of any base policy file by removing or adding algorithms or " "protocols\\&. The subpolicies can be appended on the update-crypto-policies " "--set command line to the base policy separated by the : character\\&. There " "can be multiple subpolicies appended\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "" "Let\\(cqs suppose we have subpolicy NO-SHA1 that drops support for SHA1 hash " "and subpolicy GOST that enables support for the various algorithms specified " "in Russian GOST standards\\&. You can set the DEFAULT policy with disabled " "SHA1 support and enabled GOST support by running the following command:" msgstr "" #. type: Plain text #: debian-unstable msgid "update-crypto-policies --set DEFAULT:NO-SHA1:GOST" msgstr "" #. type: Plain text #: debian-unstable msgid "" "This command generates and applies configuration that will be modification " "of the DEFAULT policy with changes specified in the NO-SHA1 and GOST " "subpolicies\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "FILES" msgstr "" #. type: Plain text #: debian-unstable msgid "/etc/crypto-policies/config" msgstr "" #. type: Plain text #: debian-unstable msgid "" "The file contains the current system policy\\&. It should contain a string " "of one of the profiles listed in the B page (e\\&.g\\&., " "DEFAULT)\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "/etc/crypto-policies/back-ends" msgstr "" #. type: Plain text #: debian-unstable msgid "" "Contains the generated policies in separated files, and in a format readable " "by the supported back ends\\&." msgstr "" #. type: Plain text #: debian-unstable msgid "/etc/crypto-policies/local\\&.d" msgstr "" #. type: Plain text #: debian-unstable msgid "" "Contains additional files to be appended to the generated policy files\\&. " "The files present must adhere to $app-XXX\\&.config file naming, where XXX " "is any arbitrary identifier\\&. For example, to append a line to " "GnuTLS\\*(Aq generated policy, create a gnutls-extra-line\\&.config file in " "local\\&.d\\&. This will be appended to the generated gnutls\\&.config " "during update-crypto-policies\\&. These overrides, are only functional for " "the gnutls, bind, java (openjdk) and krb5 back-ends\\&." msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: debian-unstable msgid "crypto-policies(7), fips-mode-setup(8)" msgstr "" #. type: SH #: debian-unstable #, no-wrap msgid "AUTHOR" msgstr "" #. type: Plain text #: debian-unstable msgid "Written by Nikos Mavrogiannopoulos\\&." msgstr ""