# This policy follows the BSI TR-02102-2 "Kryptographische Verfahren: Verwendung von Transport Layer Security (TLS)" # Generic:https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html # TLS: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html # IPSEC: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-3.html # Note that currently crypto-policies do not adjust ipsec configs, but only openssl or nss. # SSH: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-4.html # Note that the SUSE openssh is not yet reading crypto policies. # Author: Marcus Meissner 2023 # # Based on NEXT.pol # BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen." # HMAC-SHA1 is not valid anymore # UMAC is for SSH... check TODO mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512 # BSI TR 02102-2 / revision 2023.1, Table 4 "Empfohlene Diffie-Hellman-Gruppen für TLS 1.2" # not listed in BSI TR, but could be included: FFDHE-6144 FFDHE-8192 group = SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096 BRAINPOOL-P512R1 BRAINPOOL-P384R1 BRAINPOOL-P256R1 # BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen." hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 hash@DNSSec = SHA1+ # SHA1 is still prevalent in DNSSec # BSI TR 02102-2 / revision 2023.1, Table 5 "Empfohlene Signaturverfahren für TLS 1.2" and # Table 6 "Empfohlene Hashfunktionen für Signaturverfahren in TLS 1.2" # BSI TR 02102 / revision 2023.1 Section 5 "Hashfunktionen" # 224 bit SHA parts not recommended by BSI: ECDSA-SHA2-224 RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA3-224 RSA-PSS-SHA3-224 RSA-SHA3-224 sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA2-256-FIDO \ ECDSA-SHA3-384 ECDSA-SHA2-384 \ ECDSA-SHA3-512 ECDSA-SHA2-512 \ EDDSA-ED25519 EDDSA-ED25519-FIDO EDDSA-ED448 \ RSA-PSS-SHA3-256 RSA-PSS-SHA2-256 \ RSA-PSS-SHA3-384 RSA-PSS-SHA2-384 \ RSA-PSS-SHA3-512 RSA-PSS-SHA2-512 \ RSA-PSS-RSAE-SHA3-256 RSA-PSS-RSAE-SHA2-256 \ RSA-PSS-RSAE-SHA3-384 RSA-PSS-RSAE-SHA2-384 \ RSA-PSS-RSAE-SHA3-512 RSA-PSS-RSAE-SHA2-512 \ RSA-SHA3-256 RSA-SHA2-256 \ RSA-SHA3-384 RSA-SHA2-384 \ RSA-SHA3-512 RSA-SHA2-512 sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+ # SHA1 is still prevalent in DNSSec # BSI TR 02102 / revision 2023.1 # Not listed in BSI TR: CHACHA20-POLY1305 CAMELLIA-256-GCM CAMELLIA-128-CBC CAMELLIA-256-CBC CAMELLIA-128-GCM cipher = AES-256-GCM AES-256-CCM AES-256-CTR AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC # BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2 # CHACHA20-POLY1305 not listed in TR cipher@TLS = AES-256-GCM AES-256-CCM AES-256-CBC AES-128-GCM AES-128-CCM AES-128-CBC cipher@sequoia = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB cipher@RPM = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB # CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks # and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014). cipher@SSH = -*-CBC # BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2 # Note this goes to all ciphers. DHE-GSS is not valid for TLS, but used in SSH. # TLS: ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK are ok, GSS is not used in TLS, will not be used for TLS key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK ECDHE-GSS DHE-GSS # BSI TR 02102-2 / revision 2023.1, Section 3.2 "SSL/TLS Versionen" protocol@TLS = TLS1.3 TLS1.2 DTLS1.2 protocol@IKE = IKEv2 # Parameter sizes min_dh_size = 3072 min_dsa_size = 3072 # BSI TR 02102-2 / revision 2023.1: 2k still allowed until end of 2023. min_rsa_size = 2048 # GnuTLS only for now sha1_in_certs = 0 arbitrary_dh_groups = 1 ssh_certs = 1 ssh_etm = 1 # https://pagure.io/fesco/issue/2960 # "RPM must accept SHA-1 hashes and DSA keys for Fedora 38" sign@RPM = DSA-SHA1+ hash@RPM = SHA1+ min_dsa_size@RPM = 1024