crypto-policies: PolicySyntaxDeprecationWarning: Option protocol is deprecated, please rewrite your rules using protocol@tls; be advised that it is not always a 1-1 replacement
Issue
-
After upgrading to RHEL 8.5,
update-crypto-policiesprints below warning messages when applying custom policy:# update-crypto-policies PolicySyntaxDeprecationWarning: Option protocol is deprecated, please rewrite your rules using protocol@tls; be advised that it is not always a 1-1 replacement PolicySyntaxDeprecationWarning: Option tls_cipher is deprecated, please rewrite your rules using cipher@tls; be advised that it is not always a 1-1 replacement PolicySyntaxDeprecationWarning: Option ssh_cipher is deprecated, please rewrite your rules using cipher@ssh; be advised that it is not always a 1-1 replacement PolicySyntaxDeprecationWarning: Option ssh_group is deprecated, please rewrite your rules using group@ssh; be advised that it is not always a 1-1 replacement -
Custom policy in
/etc/crypto-policies/policies/modules/CUSTOM.pmodcontains below lines:ssh_cipher = AES-128-CTR AES-256-CTR AES-128-GCM AES-256-GCM CHACHA20-POLY1305 ssh_group = -X25519 key_exchange = DHE ECDHE ECDHE-GSS DHE-GSS DHE-DSS DHE-RSA ssh_etm = 1 mac = HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 cipher = AES-256-GCM AES-128-GCM CHACHA20-POLY1305 CAMELLIA-256-GCM CAMELLIA-128-GCM hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1 tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-128-GCM AES-128-CCM protocol = TLS1.3 TLS1.2 DTLS1.2 min_tls_version = TLS1.2 min_dh_size = 2048 min_dsa_size = 2048 min_rsa_size = 2048 -
The policy works on RHEL 8.4
Environment
- Red Hat Enterprise Linux 8.5 and newer
- crypto-policies-20210617-1 and newer
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
