Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in /etc/crypto-policies/config
, and run update-crypto-policies. At this point applications that are utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.
The available options are: (1) LEGACY
, which ensures compatibility with legacy systems - 64-bit security, (2) DEFAULT
, a reasonable default for today's standards - 80-bit security, and (3) FUTURE
, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.