Bug 1071883
Summary: | mod_ssl ephemeral DH key handling fixes | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Tomas Mraz <tmraz> |
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> |
Status: | CLOSED ERRATA | QA Contact: | Ondřej Pták <optak> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.5 | CC: | arubin, erich, hkario, jkaluza, jorton, optak, redhat-bugzilla, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | httpd-2.2.15-32.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: The mod_ssl module only supported ephemeral DH keys of 512 and 1024 bit lengths.
Consequence: Due to this limitation, SSL ciphersuites using ephemeral DH keys could not be used with mod_ssl FIPS mode was enabled.
Fix: mod_ssl will now use ephemeral DH keys with lengths up to 8192 bits.
Result: mod_ssl can now correctly operate under FIPS mode.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 08:08:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1057687 |
Description
Tomas Mraz
2014-03-03 11:59:12 UTC
*** Bug 1057656 has been marked as a duplicate of this bug. *** ================================== httpd-2.2.15-30.el6_5 in FIPS mode ================================== /CoreOS/httpd/Sanity/mod_ssl-smoke ---------------------------------- :: [ FAIL ] :: File 'reinstall_log' should not contain 'scriptlet failure' :: [ ERROR ] :: rlServiceStart: Starting service httpd failed :: [ ERROR ] :: Status of the failed service: :: [ LOG ] :: httpd is stopped :: [ FAIL ] :: Command 'rlServiceStart httpd' (Expected 0, got 1) /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported ------------------------------------------------------------------------- :: [ INFO ] :: Testing 2048 bit RSA keys with 2048 DHE keys :: [ PASS ] :: Command 'rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl req -x509 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch' (Expected 0, got 0) :: [ LOG ] :: rlServiceStart: Service httpd started successfully :: [ PASS ] :: Command 'rlServiceStart httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl s_client -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH' -connect localhost:443 < request.txt' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.Xzff7c5rfq' should contain 'Server Temp Key' :: [ PASS ] :: File '/var/tmp/tmp.Xzff7c5rfq' should contain 'Cipher is DHE-RSA' :: [ FAIL ] :: File '/var/tmp/tmp.Xzff7c5rfq' should contain 'Server Temp Key: DH, 2048 bits' :: [ PASS ] :: File '/var/tmp/tmp.Xzff7c5rfq' should contain 'Server public key is 2048 bit' :: [ PASS ] :: File '/var/tmp/tmp.Xzff7c5rfq' should contain 'Verify return code: 0' :: [ PASS ] :: File '/var/tmp/tmp.Xzff7c5rfq' should not contain ':error:' :: [ PASS ] :: File '/var/tmp/tmp.Xzff7c5rfq' should not contain ':fail' :: [ PASS ] :: Command 'rlServiceStop httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) :: [ INFO ] :: Testing 3072 bit RSA keys with 3072 DHE keys :: [ PASS ] :: Command 'rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl req -x509 -newkey rsa:3072 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch' (Expected 0, got 0) :: [ LOG ] :: rlServiceStart: Service httpd started successfully :: [ PASS ] :: Command 'rlServiceStart httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl s_client -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH' -connect localhost:443 < request.txt' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.8BocBUU4BE' should contain 'Server Temp Key' :: [ PASS ] :: File '/var/tmp/tmp.8BocBUU4BE' should contain 'Cipher is DHE-RSA' :: [ FAIL ] :: File '/var/tmp/tmp.8BocBUU4BE' should contain 'Server Temp Key: DH, 3072 bits' :: [ PASS ] :: File '/var/tmp/tmp.8BocBUU4BE' should contain 'Server public key is 3072 bit' :: [ PASS ] :: File '/var/tmp/tmp.8BocBUU4BE' should contain 'Verify return code: 0' :: [ PASS ] :: File '/var/tmp/tmp.8BocBUU4BE' should not contain ':error:' :: [ PASS ] :: File '/var/tmp/tmp.8BocBUU4BE' should not contain ':fail' ================================ httpd-2.2.15-39.el6 in FIPS mode ================================ /CoreOS/httpd/Sanity/mod_ssl-smoke ---------------------------------- :: [ PASS ] :: Command 'yum reinstall -y mod_ssl 2>&1 | tee reinstall_log' (Expected 0, got 0) :: [ PASS ] :: File 'reinstall_log' should not contain 'scriptlet failure' :: [ LOG ] :: rlServiceStart: Service httpd started successfully :: [ PASS ] :: Command 'rlServiceStart httpd' (Expected 0, got 0) /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported ------------------------------------------------------------------------- :: [ INFO ] :: Testing 2048 bit RSA keys with 2048 DHE keys :: [ PASS ] :: Command 'rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl req -x509 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch' (Expected 0, got 0) :: [ LOG ] :: rlServiceStart: Service httpd started successfully :: [ PASS ] :: Command 'rlServiceStart httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl s_client -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH' -connect localhost:443 < request.txt' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.rJjLkGltp8' should contain 'Server Temp Key' :: [ PASS ] :: File '/var/tmp/tmp.rJjLkGltp8' should contain 'Cipher is DHE-RSA' :: [ PASS ] :: File '/var/tmp/tmp.rJjLkGltp8' should contain 'Server Temp Key: DH, 2048 bits' :: [ PASS ] :: File '/var/tmp/tmp.rJjLkGltp8' should contain 'Server public key is 2048 bit' :: [ PASS ] :: File '/var/tmp/tmp.rJjLkGltp8' should contain 'Verify return code: 0' :: [ PASS ] :: File '/var/tmp/tmp.rJjLkGltp8' should not contain ':error:' :: [ PASS ] :: File '/var/tmp/tmp.rJjLkGltp8' should not contain ':fail' :: [ PASS ] :: Command 'rlServiceStop httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) :: [ INFO ] :: Testing 3072 bit RSA keys with 3072 DHE keys :: [ PASS ] :: Command 'rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl req -x509 -newkey rsa:3072 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch' (Expected 0, got 0) :: [ LOG ] :: rlServiceStart: Service httpd started successfully :: [ PASS ] :: Command 'rlServiceStart httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl s_client -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH' -connect localhost:443 < request.txt' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.rUJYdal1yQ' should contain 'Server Temp Key' :: [ PASS ] :: File '/var/tmp/tmp.rUJYdal1yQ' should contain 'Cipher is DHE-RSA' :: [ PASS ] :: File '/var/tmp/tmp.rUJYdal1yQ' should contain 'Server Temp Key: DH, 3072 bits' :: [ PASS ] :: File '/var/tmp/tmp.rUJYdal1yQ' should contain 'Server public key is 3072 bit' :: [ PASS ] :: File '/var/tmp/tmp.rUJYdal1yQ' should contain 'Verify return code: 0' :: [ PASS ] :: File '/var/tmp/tmp.rUJYdal1yQ' should not contain ':error:' :: [ PASS ] :: File '/var/tmp/tmp.rUJYdal1yQ' should not contain ':fail' ================================== httpd-2.2.15-30.el6_5 without FIPS ================================== /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported ------------------------------------------------------------------------- [just failing parts from log] :: [ FAIL ] :: File '/var/tmp/tmp.4BMfh4KgxD' should contain 'Server Temp Key: DH, 2048 bits' :: [ FAIL ] :: File '/var/tmp/tmp.RP6IEPDasl' should contain 'Server Temp Key: DH, 2500 bits' :: [ FAIL ] :: File '/var/tmp/tmp.fvUEng9rMj' should contain 'Server Temp Key: DH, 3072 bits' :: [ FAIL ] :: File '/var/tmp/tmp.iAm6jAUqgF' should contain 'Server Temp Key: DH, 4096 bits' :: [ FAIL ] :: File '/var/tmp/tmp.eZS2pT4SwN' should contain 'Server Temp Key: DH, 5000 bits' :: [ FAIL ] :: File '/var/tmp/tmp.aY14YFVjdP' should contain 'Server Temp Key: DH, 6144 bits' :: [ FAIL ] :: File '/var/tmp/tmp.zu4f7iI1mE' should contain 'Server Temp Key: DH, 8192 bits' ================================ httpd-2.2.15-39.el6 without FIPS ================================ /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported ------------------------------------------------------------------------- :: [ INFO ] :: Testing 2048 bit RSA keys with 2048 DHE keys :: [ PASS ] :: Command 'rm -f /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl req -x509 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt -subj /CN=localhost -nodes -batch' (Expected 0, got 0) :: [ LOG ] :: rlServiceStart: Service httpd started successfully :: [ PASS ] :: Command 'rlServiceStart httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) :: [ PASS ] :: Command 'openssl s_client -CAfile /etc/pki/tls/certs/localhost.crt -cipher 'ALL:!ECDH' -connect localhost:443 < request.txt' (Expected 0, got 0) :: [ PASS ] :: File '/var/tmp/tmp.baqPvW9Op3' should contain 'Server Temp Key' :: [ PASS ] :: File '/var/tmp/tmp.baqPvW9Op3' should contain 'Cipher is DHE-RSA' :: [ PASS ] :: File '/var/tmp/tmp.baqPvW9Op3' should contain 'Server Temp Key: DH, 2048 bits' :: [ PASS ] :: File '/var/tmp/tmp.baqPvW9Op3' should contain 'Server public key is 2048 bit' :: [ PASS ] :: File '/var/tmp/tmp.baqPvW9Op3' should contain 'Verify return code: 0' :: [ PASS ] :: File '/var/tmp/tmp.baqPvW9Op3' should not contain ':error:' :: [ PASS ] :: File '/var/tmp/tmp.baqPvW9Op3' should not contain ':fail' :: [ PASS ] :: Command 'rlServiceStop httpd' (Expected 0, got 0) :: [ PASS ] :: Command 'sleep 5' (Expected 0, got 0) [ and similar PASS results with these keys settings ]: :: [ INFO ] :: Testing 2048 bit RSA keys with 1024 DHE keys :: [ INFO ] :: Testing 2500 bit RSA keys with 2500 DHE keys :: [ INFO ] :: Testing 3072 bit RSA keys with 3072 DHE keys :: [ INFO ] :: Testing 4096 bit RSA keys with 4096 DHE keys :: [ INFO ] :: Testing 5000 bit RSA keys with 5000 DHE keys :: [ INFO ] :: Testing 6144 bit RSA keys with 6144 DHE keys :: [ INFO ] :: Testing 8192 bit RSA keys with 8192 DHE keys Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1386.html |