Customize openssl configuration to enable legacy providers by default
One of the major change with OpenSSL 3.x is introduction of "Providers"
to « collect together and make available algorithm implementations ».
Some algorithms such as MD4, WHIRLPOOL and RIPEMD-160 are part of the
"legacy provider", which is disabled by default.
This change impacted Kali users who seem to rely on the MD4 algorithm in
particular:
- https://gitlab.com/kalilinux/packages/kali-tweaks/-/issues/27
- https://bugs.kali.org/view.php?id=7783
Therefore, with this commit we extend the scope of the "Wide
Compatibility" mode to also include the legacy providers. While if users
prefer "Strong Security", legacy providers are left disabled.
For more details on the OpenSSL 3.x changes:
- https://www.openssl.org/news/changelog.html#openssl-30
- https://www.openssl.org/docs/man3.0/man7/migration_guide.html
Arnaud Rebillout
1 year, 10 months ago
| 0 | 0 |
# The configurations proposed here are only used if /etc/ssl/openssl.cnf has
|
| 1 | |
# been modified so that ssl_sect.system_default points to one of them. The
|
| 2 | |
# kali-tweaks tool lets you easily switch that configuration entry.
|
|
1 |
# been modified to make use of it. The kali-tweaks tool lets you easily switch
|
|
2 |
# between "Wide Compatibility" and "Strong Security" modes.
|
| 3 | 3 |
#
|
| 4 | 4 |
# By default a kali system should be configured for wide compatibility,
|
| 5 | 5 |
# to easily interact with servers using old vulnerable protocols.
|
|
| 8 | 8 |
MinProtocol = SSLv3
|
| 9 | 9 |
CipherString = ALL:@SECLEVEL=0
|
| 10 | 10 |
|
|
11 |
[kali_wide_compatibility_providers]
|
|
12 |
default = default_sect
|
|
13 |
legacy = legacy_sect
|
|
14 |
|
| 11 | 15 |
[kali_strong_security]
|
| 12 | 16 |
MinProtocol = TLSv1.2
|
| 13 | 17 |
CipherString = DEFAULT:@SECLEVEL=2
|
|
18 |
|
|
19 |
[kali_strong_security_providers]
|
|
20 |
default = default_sect
|
| 6 | 6 |
|
| 7 | 7 |
# Note that you can include other files from the main configuration
|
| 8 | 8 |
# file using the .include directive.
|
| 9 | |
.include /etc/ssl/kali.cnf
|
|
9 |
#.include filename
|
| 10 | 10 |
|
| 11 | 11 |
# This definition stops the following lines choking if HOME isn't
|
| 12 | 12 |
# defined.
|
|
| 49 | 49 |
# Refer to the OpenSSL security policy for more information.
|
| 50 | 50 |
# .include fipsmodule.cnf
|
| 51 | 51 |
|
|
52 |
# For Kali
|
|
53 |
.include /etc/ssl/kali.cnf
|
|
54 |
|
| 52 | 55 |
[openssl_init]
|
| 53 | |
# providers = provider_sect
|
|
56 |
providers = kali_wide_compatibility_providers
|
| 54 | 57 |
ssl_conf = ssl_sect
|
| 55 | 58 |
|
| 56 | 59 |
# List of providers to load
|
|
| 68 | 71 |
# becomes unavailable in openssl. As a consequence applications depending on
|
| 69 | 72 |
# OpenSSL may not work correctly which could lead to significant system
|
| 70 | 73 |
# problems including inability to remotely access the system.
|
| 71 | |
# [default_sect]
|
| 72 | |
# activate = 1
|
|
74 |
[default_sect]
|
|
75 |
activate = 1
|
|
76 |
|
|
77 |
[legacy_sect]
|
|
78 |
activate = 1
|
| 73 | 79 |
|
| 74 | 80 |
|
| 75 | 81 |
####################################################################
|