How to Enable and Disable SHA1 algorithm on your system CentOS Stream 9/AlmaLinux 9/RockyLinux 9
Today we’ll learn How to enable or Disable SHA1 system-wide cryptographic policy and why we’re disabling SHA-1? because SHA-1 hash function has an inherently weak design, and advancing cryptanalysis has made it vulnerable to attacks, Centos/RHEL 8 and Centos/RHEL 9 does not use SHA-1 by default. Nevertheless, some third-party applications, for example, public signatures, still use SHA-1.
To disable the use of SHA-1 in signature algorithms on your system, you can use the
NO-SHA1 policy module.
DISABLE SHA-1 :
update-crypto-policies --set DEFAULT:NO-SHA1
And reboot the system to apply it systemwide.
ENABLE SHA-1 :
In the internet there are thousands or lakhs of devices still uses SHA-1 Algorithm Like older OS for example Centos 6 peoples are still using it due to very light in resources and there old applications are still running there. From This old OS if you’re trying to connect to a modern OS like EL9/centos 9 for example with SSH you’ll get error like below :
no hostkey alg
If you check the error massage in modern OS it will show like below :
Unable to negotiate with 126.96.36.199 port 43614: no matching host key type found. Their offer: email@example.com,firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,ssh-rsa,ssh-dss [preauth]
** this is happening because the latest version of openssh has dropped the support for SHA1.
To fix this you need to enable SHA-1 algorithm in your modern OS for example in EL9/Centos 9 :
Run the below command to enable SHA-1
update-crypto-policies --set DEFAULT:SHA1
That’s it you’ve enabled System-wide crypto policy to enable SHA1 a system reboot will also recommended after enabling SHA1