Enable and Disable SHA1 algorithm on your system CentOS Stream 9/AlmaLinux 9/RockyLinux 9

[Sandeep B.]

Today we’ll learn How to enable or Disable SHA1 system-wide cryptographic policy and why we’re disabling SHA-1? because SHA-1 hash function has an inherently weak design, and advancing cryptanalysis has made it vulnerable to attacks, Centos/RHEL 8 and Centos/RHEL 9 does not use SHA-1 by default. Nevertheless, some third-party applications, for example, public signatures, still use SHA-1.

To disable the use of SHA-1 in signature algorithms on your system, you can use the NO-SHA1 policy module.

DISABLE SHA-1 :

update-crypto-policies --set DEFAULT:NO-SHA1

And reboot the system to apply it systemwide.

ENABLE SHA-1 :
In the internet there are thousands or lakhs of devices still uses SHA-1 Algorithm Like older OS for example Centos 6 peoples are still using it due to very light in resources and there old applications are still running there. From This old OS if you’re trying to connect to a modern OS like EL9/centos 9 for example with SSH you’ll get error like below :

no hostkey alg

If you check the error massage in modern OS it will show like below :

Quote

Unable to negotiate with 1.1.1.1 port 43614: no matching host key type found. Their offer: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth]
** this is happening because the latest version of openssh has dropped the support for SHA1.

To fix this you need to enable SHA-1 algorithm in your modern OS for example in EL9/Centos 9 :

Run the below command to enable SHA-1

update-crypto-policies --set DEFAULT:SHA1

That’s it you’ve enabled System-wide crypto policy to enable SHA1 a system reboot will also recommended after enabling SHA1