For this demo, you'll install Apache and mod_ssl on a CentOS 8 VM. (Unlike on Ubuntu, you have to install these as two separate packages.) Use the same scanner VM that you used in the previous lab. A new feature of RHEL 8/CentOS 8 is that you can now set system-wide crypto policies for most of your services and applications that require crypto. We'll take a quick look at it here, and again in Chapter 6, SSH Hardening:

1. On your CentOS 8 VM, install Apache and mod_ssl and start the service:

sudo dnf install httpd mod_ssl
sudo systemctl enable --now httpd

2. Open port 443 on the firewall:

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

3. From the scanner VM, scan the Apache VM:

sslscan 192.168.0.160

You'll already see one big improvement. By default, nothing older than TLSv1.2 is supported. But you'll also see a problem. RHEL 8 and CentOS 8 both support the new TLSv1.3, but you don't see anything about it in these scan results. That's because sslscan hasn't yet been updated to recognize TLSv1.3. That's okay, we'll address that in just a moment. (And besides, sslscan is still useful for showing the older algorithms that you might want to disable.)

4. Next, on the Apache VM, view the status of the system-wide crypto configuration:

sudo update-crypto-policies --show

You should see DEFAULT as the output. With DEFAULT, you get TLSv1.2 as the minimum protocol version along with the goodness of TLSv1.3. But you'll also see some TLSv1.2 algorithms that we can do without.

5. On the VM with Apache, set the system-wide crypto policy to FIPS:

sudo fips-mode-setup --enable

The Federal Information Processing Standard (FIPS) is a U.S. government standard that mandates minimum requirements for crypto algorithms and for monitoring. If you want to do business with the U.S. government, your servers will likely need to meet the FIPS requirements. With RHEL 8/CentOS 8, all that takes is just this one command.

6. Reboot the Apache VM so that the FIPS mode will take effect. Then, run these two commands to verify that FIPS mode is in effect:

sudo fips-mode-setup --check
sudo update-crypto-policies --show

7. Repeat step 3. This time, you'll see a smaller list of supported algorithms.
8. As I mentioned before, sslscan won't yet recognize TLSv1.3. But you can use OpenSSL to verify that TLSv1.3 does indeed work on our RHEL 8/CentOS 8 servers. Just run this command against the Apache server VM:

echo | openssl s_client -connect 192.168.0.160:443

Without the echo | part, this command would create a persistent connection to the server. We don't want that, and the echo | part prevents it. This command won't show you the entire list of algorithms that the server supports. Instead, it will show you just the algorithm that it used to create the connection. Somewhere toward the bottom, you'll see that you connected to your CentOS 8 VM via TLSv1.3. (If you perform the same command against your Ubuntu 18.04 VM, you'll see that it's only using TLSv1.2.)

9. Repeat step 8 with some public websites to see what algorithms they're using. Here's some suggestions:

echo | openssl s_client -connect google.com:443
echo | openssl s_client -connect allcoins.pw:443

10. End of lab.

There are two other crypto policy modes besides the two that I've shown here. LEGACY mode enables some really old algorithms that we don't want to use unless it's absolutely necessary to support older clients. But, as I keep saying, anyone who's using a client that's that old needs to upgrade. There's also the FUTURE mode, which both disables weak algorithms and uses longer keys that are more resistant to cracking attempts by the more powerful hardware of the future. If you need to run FUTURE mode instead of FIPS mode, just replace steps 5 and 6 of the preceding lab with this:

sudo update-crypto-policies --set FUTURE

(Note that you'll set either FIPS mode or FUTURE mode. You won't have both set at the same time. FIPS mode does more than just disable weak algorithms, which is why the command for setting it is different.)