CentOS 8: FUTURE Security Policy AES256-CBC

Solution 1:

After some hours of work, i solved it

You need to create a customized policy inside the directory /etc/crypto-policies/policies/modules/, setting the rules to disable CBC ciphers

Example

vim /etc/crypto-policies/policies/modules/NO-CBC.pmod

In this file, you should put all the ciphers you want to disable, like this:

tls_cipher = -AES-256-CBC -AES-128-CBC
cipher = -AES-128-CBC -AES-256-CBC -CAMELLIA-256-CBC -CAMELLIA-128-CBC
ssh_cipher = -AES-128-CBC -AES-256-CBC

After saving that, you need to load the policies with the modification that you created. In my case, i'm using the "FUTURE" policy. You can choose any policy, but don't forget to set up the modifier, like this:

update-crypto-policies --set FUTURE:NO-CBC

Now, just restart sshd service, and CBC will be disabled.

systemctl restart sshd

Solution 2:

Add below in /etc/sysconfig/sshd

CRYPTO_POLICY='[email protected],[email protected],aes256-ctr [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected] -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519'

and

systemctl restart sshd