How do you create a subpolicy or modify the “DEFAULT” policy to restrict TLS 1.3 cipher suite to just “TLS_AES_128_GCM_SHA256” and “TLS_AES_256_GCM_SHA384”
Welcome to openSUSE Forums.
See if this helps:
https://en.opensuse.org/SDB:Crypto-policies
In particular, create a custom policy file (eg /etc/crypto-policies/policies/TLS13ONLY.policy)
and add the desired ciphers
tls13_ciphers = TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384
Save when done and apply the policy
sudo update-crypto-policies --set DEFAULT:TLS13ONLY
For more info
man 7 crypto-policies
man 8 update-crypto-policies
No. It should be /etc/crypto-policies/policies/modules/TLS13ONLY.pmod.
Where have you got it from? This string does not appear anywhere in any document you mentioned.
bor@10:~> cat /etc/crypto-policies/policies/modules/TLS13ONLY.pmod
cipher@tls = AES-256-GCM AES-128-GCM
bor@10:~> grep Ciphers /etc/crypto-policies/back-ends/opensslcnf.config
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
bor@10:~>
Ok, I though Leap 15.6 was using an older crypto policy framework (unlike Leap 16, Slowroll and Tumbleweed)?
@ira.b.schwartz Can you please confirm?
rpm -qi crypto-policies
ls -l /usr/share/crypto-policies/policies/
The man pages might be your best friend here. I don’t have openSUSE Laap 15.6 installed now.