Bug 1153054
| Summary: | Pulp's bindings only do SSLv3 | |||
|---|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Randy Barlow <rbarlow> | |
| Component: | API/integration | Assignee: | Randy Barlow <rbarlow> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | pulp-qe-list | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 2.4.0 | CC: | jortel, pthomas, thoger, tjay | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | 2.4.3 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1153812 (view as bug list) | Environment: | ||
| Last Closed: | 2014-10-20 21:24:38 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1153811, 1153812 | |||
|
Description
Randy Barlow
2014-10-15 13:53:10 UTC
I have learned some more information. M2Crypto is only capable of these protocols: SSLv2, SSLv3, and TLSv1.0. TLSv1.0 is known to be vulnerable to a few attacks as well, such as the BEAST attack[0]. I'm currently researching how unsafe TLSv1.0 would be for Pulp's use case before making a decision, but at this point I am leaning towards looking for a different library than M2Crypto so that we can use TLSv1.1 and 1.2. [0] https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack Another tidbit: It turns out that if you configure the M2Crypto.SSL.Context with "sslv23", that apparently means "Do any protocol, including TLS 1.1/1.2". :/ This might be an option for us, but this would also require the server to be configured for TLS 1.1/1.2. Ideally, we would refuse to connect to any server that is not willing to do TLS >= v1.1. I'm still looking into whether M2 can be configured to do that. (In reply to Randy Barlow from comment #2) > It turns out that if you configure the M2Crypto.SSL.Context with "sslv23", > that apparently means "Do any protocol, including TLS 1.1/1.2". :/ That's OpenSSL shenanigan really, likely for historical reasons, pre-dating TLS. You often want to use SSLv23_*method to enable all versions supported by given OpenSSL versions (until Poodle, that usually was SSL3 + TLS1 for older OpenSSL, and more recently TLS 1.0 - 1.2). This needs to be combined with SSL_*set_options to SSL_OP_NO_SSLv2 and now also SSL_OP_NO_SSLv3. https://www.openssl.org/docs/ssl/SSL_CTX_new.html The problem with TLSv1_*method, TLSv1_1_*method and TLSv1_2_*method is they only enable specific TLS version, rather than e.g. all TLS 1.x as mentioned above. I believe M2Crypto has something that directly maps to the underlying OpenSSL API. Note that if you use SSLv23, your app should automatically use up to TLS 1.0 on RHEL-5 and RHEL-6 before 6.5, and TLS 1.2 on RHEL 6.5 and later. I.e. all versions supported by the underlying OpenSSL. Thanks Tomas, To amend my previous comment, M2Crypto in RHEL 5 is only capable of those protocols. M2Crypto in newer versions is capable of TLSv1.1 and TLSv1.2 as you pointed out. Due to the "shenanigans" of openssl, we had configured M2Crypto to only be willing to do sslv3. This PR fixes that issue: https://github.com/pulp/pulp/pull/1245 As for TLSv1.0, I believe that Pulp is not vulnerable to BEAST because we do not allow code injection via our bindings. The pull request is ready for review: https://github.com/pulp/pulp/pull/1245/ The build is in progress. In order to test this, you can configure Apache to only do SSLv2 and SSLv3 by editing /etc/httpd/conf.d/ssl.conf. Set this: SSLProtocol SSLv2 SSLv3 pulp-admin and Nodes and pulp-consumer should all refuse to connect with Apache configured this way. This will verify that Pulp is not willing to do SSLv2 or SSLv3. Then set it like this: SSLProtocol all -SSLv2 -SSLv3 Now everything in Pulp should work just fine. This will verify that Pulp can do TLS >= v1.0. Be sure to test EL5 through EL7 and F19/20, to make sure we haven't broken anything on any of the supported platforms. Something strange happened when I squashed my branch and that pull request shows no commits. Here is the commit that fixes this issue: https://github.com/pulp/pulp/commit/b5b2586c7323987fcac410b8358f602ed645408f Fixed in pulp-2.4.3-0.1.beta. [root@cloud-qe-3 ~]# cat /etc/redhat-release
Fedora release 19 (Schrödinger’s Cat)
[root@cloud-qe-3 ~]#
[root@cloud-qe-3 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol
#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol SSLv3
[root@cloud-qe-3 ~]#
[root@cloud-qe-3 ~]#
[root@cloud-qe-3 ~]# pulp-admin repo list
+----------------------------------------------------------------------+
Repositories
+----------------------------------------------------------------------+
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.
[root@cloud-qe-3 ~]# pulp-consumer register --consumer-id f19-consumer
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/consumer.log.
[root@cloud-qe-3 ~]#
[root@cloud-qe-3 ~]# systemctl restart httpd
[root@cloud-qe-3 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol
SSLProtocol all -SSLv2 -SSLv3
#SSLProtocol SSLv3
[root@cloud-qe-3 ~]#
[root@cloud-qe-3 ~]# pulp-consumer register --consumer-id f19-consumer
Authentication Failed
A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.
[root@cloud-qe-3 ~]#
[root@cloud-qe-3 ~]# pulp-admin repo list
+----------------------------------------------------------------------+
Repositories
+----------------------------------------------------------------------+
[root@cloud-qe-3 ~]#
[root@cloud-qe-4 ~]# cat /etc/redhat-release
Fedora release 20 (Heisenbug)
[root@cloud-qe-4 ~]#
[root@cloud-qe-4 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol
SSLProtocol SSLv3
[root@cloud-qe-4 ~]#
[root@cloud-qe-4 ~]#
[root@cloud-qe-4 ~]# pulp-admin login -u admin -p admin
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/admin.log.
[root@cloud-qe-4 ~]# pulp-consumer register --consumer-id pulp-f20
An error occurred attempting to contact the server. More information can be
found in the client log file ~/.pulp/consumer.log.
[root@cloud-qe-4 ~]#
[root@cloud-qe-4 ~]# pulp-admin login -u admin -p admin
Successfully logged in. Session certificate will expire at Oct 24 19:25:05 2014
GMT.
[root@cloud-qe-4 ~]# vi /etc/pulp/consumer/consumer.conf
[root@cloud-qe-4 ~]#
[root@cloud-qe-4 ~]# pulp-consumer register --consumer-id pulp-f20
Authentication Failed
A valid Pulp user is required to register a new consumer. Please double check
the username and password and attempt the request again.
[root@cloud-qe-4 ~]#
[root@cloud-qe-22 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) [root@cloud-qe-22 ~]# [root@cloud-qe-22 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol SSLProtocol SSLv2 SSLv3 #SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-22 ~]# pulp-admin login -u admin -p admin An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/admin.log. [root@cloud-qe-22 ~]# pulp-consumer register --consumer-id rhel6-client An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@cloud-qe-22 ~]# [root@cloud-qe-22 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol #SSLProtocol SSLv2 SSLv3 SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-22 ~]# pulp-admin login -u admin -p admin Successfully logged in. Session certificate will expire at Oct 24 19:50:37 2014 GMT. [root@cloud-qe-22 ~]# pulp-consumer register --consumer-id rhel6-client Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. [root@cloud-qe-22 ~]# [root@cloud-qe-1-vm-1 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol SSLProtocol SSLv3 #SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-1-vm-1 ~]# [root@cloud-qe-1-vm-1 ~]# [root@cloud-qe-1-vm-1 ~]# pulp-admin login -u admin -p admin An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/admin.log. [root@cloud-qe-1-vm-1 ~]# pulp-consumer register --consumer-id rhel7-pulp An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@cloud-qe-1-vm-1 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol #SSLProtocol SSLv3 SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-1-vm-1 ~]# pulp-admin login -u admin -p admin Successfully logged in. Session certificate will expire at Oct 24 20:39:50 2014 GMT. [root@cloud-qe-1-vm-1 ~]# pulp-consumer register --consumer-id rhel7-pulp Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. [root@cloud-qe-1-vm-1 ~]# pulp-consumer -u admin -p admin register --consumer-id rhel7-pulp Consumer [rhel7-pulp] successfully registered [root@cloud-qe-1-vm-1 ~]# [root@rhlel5-pulp24 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.10 (Tikanga) [root@rhlel5-pulp24 ~]# [root@rhlel5-pulp24 ~]# pulp-consumer -u admin -p admin register --consumer-id rhel5-client An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@rhlel5-pulp24 ~]# pulp-consumer -u admin -p admin register --consumer-id rhel5-client Consumer [rhel5-client] successfully registered [root@rhlel5-pulp24 ~]# verified node is working as well. This has been fixed with the 2.4.3-1 release. |