File Explorer

/usr/share/crypto-policies/policies/modules

This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.

0 dirs
7 files

OSPP.pmod2.0 KB · 50 lines

1# Restrict FIPS policy for the Common Criteria OSPP profile.2 3# SSH (upper limit)4# Ciphers: aes256-ctr, aes256-cbc, aes256-gcm@openssh.com5# PubkeyAcceptedKeyTypes: rsa-sha2-256, rsa‑sha2‑5126# MACs: hmac-sha2-256, hmac-sha2-512, implicit for aes256-gcm@openssh.com7# KexAlgorithms: ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group16-sha512, diffie-hellman-group18-sha5128 9# TLS ciphers (suggested minimal set for openssl)10# * TLS_RSA_WITH_AES_128_CBC_SHA     - excluded by FIPS, uses RSA key exchange11# * TLS_RSA_WITH_AES_256_CBC_SHA     - excluded by FIPS, uses RSA key exchange12# * TLS_RSA_WITH_AES_128_CBC_SHA256  - excluded by FIPS, uses RSA key exchange13# * TLS_RSA_WITH_AES_256_CBC_SHA256  - excluded by FIPS, uses RSA key exchange14# * TLS_RSA_WITH_AES_128_GCM_SHA256  - excluded by FIPS, uses RSA key exchange15# * TLS_RSA_WITH_AES_256_GCM_SHA384  - excluded by FIPS, uses RSA key exchange16# * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256  - excluded by FIPS (CBC)17# * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256  - excluded by FIPS (CBC)18# * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  - disabled, AES 12819# * TLS_DHE_RSA_WITH_AES_256_GCM_SHA38420# * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  - disabled, AES 12821# * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  - disabled, AES 12822# * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  - disabled in openssl itself23# * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38424# * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  - disabled, AES 128 + CBC25# * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  - disabled, AES 12826# * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  - disabled in openssl itself27# * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA38428# Supported Groups Extension in ClientHello: secp256r1, secp384r1, secp521r129 30mac = -HMAC-SHA1  # see above, both SSH and TLS ended up not using it31 32group = -SECP256R1 -FFDHE-204833 34hash = -SHA2-224 -SHA3-*35 36sign = -*-SHA2-224 -ECDSA-SHA2-25637 38cipher = -AES-*-CCM -AES-128-*39cipher@!{ssh,tls} = -AES-*-CTR40 41ssh_certs = 042etm@ssh = DISABLE_ETM43 44protocol@TLS = -TLS1.345 46min_dh_size = 307247min_rsa_size = 307248 49arbitrary_dh_groups = 050