Public bug reported: The crypto-policies package's description is "unify the crypto policies used by different applications and libraries". Its README.md says "The current implementations works by setting the desired policy in /etc /crypto-policies/config. After this file is changed the script 'update- crypto-policies' should be executed, and the new policies will activate."
This information is misleading, because the crypto-policies package doesn't seem to have any effect on the system's crypto policies. Running update-crypto-policies only updates files in /etc/crypto- policies, but those files are not referenced by OpenSSL, OpenSSH, or any other system config files. The update-crypto-policies tool will also give the misleading output "The configured policy is applied" when the policy is having no effect on the system. To reproduce: 1) update-crypto-policies --set EMPTY 2) curl https://ubuntu.com The curl should fail, since EMPTY mode is supposed to disable all ciphers, but it will succeed. I think this package should be removed as misleading and dangerous, or at least equipped with warnings stating that it will not do anything unless the user manually changes all of their system configuration files to reference those in /etc/crypto-policies/. ** Affects: crypto-policies (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926664 Title: Package has no effect on system crypto policy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/crypto-policies/+bug/1926664/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
