path: root/templates/man8/update-crypto-policies.8.pot

# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR Free Software Foundation, Inc.
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2022-06-16 17:37+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: TH
#: debian-unstable
#, no-wrap
msgid "UPDATE-CRYPTO-POLI"
msgstr ""

#. type: TH
#: debian-unstable
#, no-wrap
msgid "08/24/2019"
msgstr ""

#. type: TH
#: debian-unstable
#, no-wrap
msgid "update-crypto-policies"
msgstr ""

#. type: TH
#: debian-unstable
#, no-wrap
msgid "\\ \""
msgstr ""

#.  -----------------------------------------------------------------
#.  * MAIN CONTENT STARTS HERE *
#.  -----------------------------------------------------------------
#. type: SH
#: debian-unstable
#, no-wrap
msgid "NAME"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"update-crypto-policies - manage the policies available to the various "
"cryptographic back-ends\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "SYNOPSIS"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "B<update-crypto-policies> [I<COMMAND>]"
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "DESCRIPTION"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"B<update-crypto-policies(8)> is used to set the policy applicable for the "
"various cryptographic back-ends, such as SSL/TLS libraries\\&. That will be "
"the default policy used by these back-ends unless the application user "
"configures them otherwise\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The available policies are described in the B<crypto-policies(7)> manual "
"page\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The desired system policy is selected in /etc/crypto-policies/config and "
"this tool will generate the individual policy requirements for all back-ends "
"that support such configuration\\&. After this tool is called the "
"administrator is assured that any application that utilizes the supported "
"back-ends will follow a policy that adheres to the configured profile\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Note that the above assurance does apply to the extent that applications are "
"configured to follow the default policy (the details vary on the back-end, "
"see below for more information)\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The generated back-end policies will be placed in /etc/crypto-policies/back-"
"ends\\&. Currently the supported back-ends are:"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "GnuTLS library"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "OpenSSL library"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "NSS library"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "OpenJDK"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "Libkrb5"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "BIND"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "OpenSSH"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "Libreswan"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "libssh"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications and languages which rely on any of these back-ends will follow "
"the system policies as well\\&. Examples are apache httpd, nginx, php, and "
"others\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"In general after changing the system crypto policies with the update-crypto-"
"policies --set command it is recommended to restart the system for the "
"effect to fully take place as the policy configuration files are loaded on "
"application start-up\\&. Otherwise applications started before the command "
"was run need to be restarted to load the updated configuration\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "COMMANDS"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "The following commands are available in update-crypto-policies tool\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "--show: Shows the currently applied crypto policy"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"--is-applied: Returns success if the currently configured policy is already "
"applied\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "--set: Sets the current policy and overwrites the config file\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "OPTIONS"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "The following options are available in update-crypto-policies tool\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"--no-check: By default this tool does a sanity check on whether the "
"configured policy is accepted by the supported tools\\&. This option "
"disables those checks\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"--no-reload: By default this tool causes some running applications to reload "
"the configured policy\\&. This option skips the reloading\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "APPLICATION SUPPORT"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications in the operating system that provide a default configuration "
"file that includes a cryptographic policy string will be modified gradually "
"to support these policies\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"When an application provides a configuration file, the changes needed to "
"utilize the system-wide policy are the following\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications using GnuTLS: If an application allows the configuration of "
"cipher priotities via a string, the special priority string \"@SYSTEM\" "
"should replace any other priority string\\&. Applications which use the "
"default library settings automatically adhere to the policy\\&. Applications "
"following the policy inherit the settings for cipher suite preference, TLS "
"and DTLS protocol versions, allowed elliptic curves, and limits for "
"cryptographic keys\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications using OpenSSL: If an application allows the configuration of "
"ciphersuite string, the special cipher string \"PROFILE=SYSTEM\" should "
"replace any other cipher string\\&. Applications which use the default "
"library settings automatically adhere to the policy\\&. Applications "
"following the policy inherit the settings for cipher suite preference\\&. By "
"default the OpenSSL library reads a configuration file when it is "
"initialized\\&. If the applicaton does not override loading of the "
"configuration file, the policy also sets the minimum TLS protocol version "
"and default cipher suite preference via this file\\&. If the application is "
"long-running such as the httpd server it has to be restarted to reload the "
"configuration file after policy is changed\\&. Otherwise the changed policy "
"cannot take effect\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications using NSS: Applications using NSS will load the crypto policies "
"by default\\&. They inherit the settings for cipher suite preference, TLS "
"and DTLS protocol versions, allowed elliptic curves, and limits for "
"cryptographic keys\\&. Note that unlike OpenSSL and GnuTLS, the NSS policy "
"is enforced by default; to prevent applications from adhering to the policy "
"the NSS_IGNORE_SYSTEM_POLICY environment variable must be set to 1 prior to "
"executing that application\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications using Java: No special treatment is required\\&. Applications "
"using Java will load the crypto policies by default\\&. These applications "
"will then inherit the settings for allowed cipher suites, allowed TLS and "
"DTLS protocol versions, allowed elliptic curves, and limits for "
"cryptographic keys\\&. To prevent openjdk applications from adhering to the "
"policy the E<lt>java\\&.homeE<gt>/jre/lib/security/java\\&.security file "
"should be edited to contain security\\&.useSystemPropertiesFile=false\\&. "
"Alternatively one can create a file containing the overridden values for "
"I<jdk\\&.tls\\&.disabledAlgorithms>, I<jdk\\&.certpath\\&."
"disabledAlgorithms> and pass the location of that file to Java on the "
"command line using the -Djava\\&.security\\&.properties=E<lt>path to "
"fileE<gt>\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications using libkrb5: No special treatment is required\\&. "
"Applications will follow the crypto policies by default\\&. These "
"applications inherit the settings for the permitted encryption types for "
"tickets as well as the cryptographic key limits for the PKINIT protocol\\&. "
"A system-wide opt-out is available by deleting the /etc/krb5\\&.conf\\&.d/"
"crypto-policies link\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"BIND: This application inherits the set of blacklisted algorithms\\&. To opt-"
"out from the policy, remove the policy include directive in the named\\&."
"conf file\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"OpenSSH: Both server and client application inherits the cipher preferences, "
"the key exchange algorithms as well as the GSSAPI key exchange "
"algorithms\\&. To opt-out from the policy for client, override the global "
"ssh_config with a user-specific configuration in ~/\\&.ssh/config\\&. See "
"ssh_config(5) for more information\\&. To opt-out from the policy for "
"server, uncomment the line containing CRYPTO_POLICY= in /etc/sysconfig/sshd "
"\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Libreswan: Both servers and clients inherit the ESP and IKE preferences, if "
"they are not overridden in the connection configuration file\\&. Note that "
"due to limitations of libreswan, crypto policies is restricted to supporting "
"IKEv2\\&. To opt-out from the policy, comment the line including /etc/crypto-"
"policies/back-ends/libreswan\\&.config from /etc/ipsec\\&.conf\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Applications using libssh: Both client and server applications using libssh "
"will load the crypto policies by default\\&. They inherit the ciphers, key "
"exchange, message authentication, and signature algorithms preferences\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "POLICY CONFIGURATION"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"One of the supported profiles should be set in /etc/crypto-policies/config "
"and this script should be run afterwards\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "In case of a parsing error no policies will be updated\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "CUSTOM POLICIES"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The custom policies can take two forms\\&. First form is a full custom "
"policy file which is supported by the update-crypto-policies tool in the "
"same way as the policies shipped along the tool in the package\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The second form can be called a subpolicy or policy modifier\\&. This form "
"modifies aspects of any base policy file by removing or adding algorithms or "
"protocols\\&. The subpolicies can be appended on the update-crypto-policies "
"--set command line to the base policy separated by the : character\\&. There "
"can be multiple subpolicies appended\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Let\\(cqs suppose we have subpolicy NO-SHA1 that drops support for SHA1 hash "
"and subpolicy GOST that enables support for the various algorithms specified "
"in Russian GOST standards\\&. You can set the DEFAULT policy with disabled "
"SHA1 support and enabled GOST support by running the following command:"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "update-crypto-policies --set DEFAULT:NO-SHA1:GOST"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"This command generates and applies configuration that will be modification "
"of the DEFAULT policy with changes specified in the NO-SHA1 and GOST "
"subpolicies\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "FILES"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "/etc/crypto-policies/config"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"The file contains the current system policy\\&. It should contain a string "
"of one of the profiles listed in the B<crypto-policies(7)> page (e\\&.g\\&., "
"DEFAULT)\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "/etc/crypto-policies/back-ends"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Contains the generated policies in separated files, and in a format readable "
"by the supported back ends\\&."
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "/etc/crypto-policies/local\\&.d"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid ""
"Contains additional files to be appended to the generated policy files\\&. "
"The files present must adhere to $app-XXX\\&.config file naming, where XXX "
"is any arbitrary identifier\\&. For example, to append a line to "
"GnuTLS\\*(Aq generated policy, create a gnutls-extra-line\\&.config file in "
"local\\&.d\\&. This will be appended to the generated gnutls\\&.config "
"during update-crypto-policies\\&. These overrides, are only functional for "
"the gnutls, bind, java (openjdk) and krb5 back-ends\\&."
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "SEE ALSO"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "crypto-policies(7), fips-mode-setup(8)"
msgstr ""

#. type: SH
#: debian-unstable
#, no-wrap
msgid "AUTHOR"
msgstr ""

#. type: Plain text
#: debian-unstable
msgid "Written by Nikos Mavrogiannopoulos\\&."
msgstr ""