Bug 1109119

Summary: Use the system crypto policy unless otherwise specified
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: httpdAssignee: Jan Kaluža <jkaluza>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jkaluza, jorton, pahan, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.10-6.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 10:06:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1076390    

Description Nikos Mavrogiannopoulos 2014-06-13 09:39:02 UTC 
Please convert to use the system's crypto policy for SSL and TLS:
https://fedoraproject.org/wiki/Changes/CryptoPolicy#Scope

If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority().

If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM".

If this program obtains its cipher list (or priority) using a configuration file, please update the shipped configuration files with the appropriate string that sets the system policy.

In all cases verify (as described in the URL above) that the application uses the system's crypto profiles.

Please contact me for any questions.
Comment 1 Joe Orton 2014-06-20 10:13:17 UTC 
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=c0bdfa464b7c8b7d202b7a7ab31bc0e4b06a33fc
Package: httpd-2.4.9-5.fc21
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=539199
Comment 2 Joe Orton 2014-06-20 15:41:53 UTC 
Further investigation: this has not quite achieved what was expected.  Without SSLCipherSuite configured, mod_ssl still configures a cipher suite, but will use:

   "!EXP:" + SSL_DEFAULT_CIPHER_LIST (OpenSSL macro)

by default.  This is not exactly what is specified here.  What is preferred behaviour, mod_ssl really does not call SSL_CTX_set_cipher_list() by default?
Comment 3 Nikos Mavrogiannopoulos 2014-06-21 06:35:30 UTC 
My personal preference would be to use "PROFILE=SYSTEM" as the cipher list. That way it would be explicit to the administrator that the system-wide settings are being applied. The default behavior when SSL_CTX_set_cipher_list() isn't called is mostly for unattended programs that offer no configuration file.
Comment 4 Fedora Admin XMLRPC Client 2014-06-30 09:53:26 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Nikos Mavrogiannopoulos 2014-08-08 13:23:36 UTC 
Any update on this issue?
Comment 6 Joe Orton 2014-08-20 12:58:53 UTC 
The choices for what is passed to SSL_CTX_set_cipher_list() in mod_ssl are:

1) If we configure "SSLCipherSuite PROFILE=SYSTEM" by default, we'll actually get

     "!aNULL:!eNULL:!EXP:PROFILE=SYSTEM"

2) We configure no SSLCipherSuite by default.  We'll actually get: 

     "!EXP:" + SSL_DEFAULT_CIPHER_LIST

If (1) is OK I'll go with that.

Further alternatives:

a) We patch mod_ssl to recognize "PROFILE=" as special and no prepend !aNULL etc in that case, and then do (1).

Preference?
Comment 7 Nikos Mavrogiannopoulos 2014-08-20 14:52:15 UTC 
(In reply to Joe Orton from comment #6)
> The choices for what is passed to SSL_CTX_set_cipher_list() in mod_ssl are:
> 
> 1) If we configure "SSLCipherSuite PROFILE=SYSTEM" by default, we'll
> actually get
> 
>      "!aNULL:!eNULL:!EXP:PROFILE=SYSTEM"
> 
> 2) We configure no SSLCipherSuite by default.  We'll actually get: 
> 
>      "!EXP:" + SSL_DEFAULT_CIPHER_LIST
> 
> If (1) is OK I'll go with that.
> 
> Further alternatives:
> 
> a) We patch mod_ssl to recognize "PROFILE=" as special and no prepend !aNULL
> etc in that case, and then do (1).
> 
> Preference?

I believe (1) wouldn't work with the current parser code, so neither seem good options. I think (a), or at least an option that does not set anything, would be best.

(added Tomas in case I missed something)
Comment 8 Tomas Mraz 2014-08-21 09:22:12 UTC 
Yes, unfortunately the current parser won't work when you prepend anything to the PROFILE=SYSTEM. You can only append to it.
Comment 9 Joe Orton 2014-08-21 10:51:06 UTC 
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=4475e3e26285ff84d9c5fd3b9ffb45376f0092d6
Package: httpd-2.4.10-6.fc22
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=569704
Comment 10 Nikos Mavrogiannopoulos 2014-09-10 14:11:18 UTC 
Joe, there seems to be an issue in your patch. There you set in the configuration file "PROFILE=DEFAULT". The name is "PROFILE=SYSTEM".
Comment 11 Joe Orton 2014-09-10 14:44:07 UTC 
Thanks Nikos - yes we worked that out too after some headscratching :)

It is fixed in the current f21 package:

http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=793563ad40c65d89906e61a3f83ded4dcb7996f8
Comment 12 Nikos Mavrogiannopoulos 2014-09-11 10:06:25 UTC 
Thanks