Bug 1186488
| Summary: | Connections default to using TLSv1.0 and should use TLSv1.2 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | J.C. Molet <jmolet> |
| Component: | python-rhsm | Assignee: | candlepin-bugs |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | John Sefler <jsefler> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | alikins, bcourt, bkearney, candlepin-bugs, jmolet, jsefler, vrjain |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-rhsm-1.13.6-1 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1153375 | Environment: | |
| Last Closed: | 2016-10-05 19:52:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1153375 | ||
| Bug Blocks: | 1153811, 1156565, 1156567 | ||
|
Comment 1
J.C. Molet
2015-01-27 19:07:55 UTC
jmolet, do you mind verifying if this is already fixed in python rhsm 1.15 please? I have a candlepin server set up to use only SSLv3 (where the poodle exploit exists)
#cat /etc/tomcat/server.xml | grep sslEnabledProtocols
<Connector SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" SSLProtocol="TLS" keystoreFile="conf/keystore" truststoreFile="conf/keystore" keystorePass="password" keystoreType="PKCS12" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" truststorePass="password" port="8443" sslEnabledProtocols="SSLv3" protocol="HTTP/1.1"/>
Meanwhile on the client when I register:
#subscription-manager register --username=testuser1 --password=password --org=admin
Registering to: jmolet-cp0.usersys.redhat.com:8443/candlepin
Unable to verify server's identity: unsupported protocol
This was rejected due to incorrect protocol.
If I change the server back:
#cat /etc/tomcat/server.xml | grep sslEnabledProtocols
<Connector SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" SSLProtocol="TLS" keystoreFile="conf/keystore" truststoreFile="conf/keystore" keystorePass="password" keystoreType="PKCS12" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" truststorePass="password" port="8443" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" protocol="HTTP/1.1"/>
# subscription-manager register --username=testuser1 --password=password --org=admin
Registering to: jmolet-cp0.usersys.redhat.com:8443/candlepin
The system has been registered with ID: 83613ef2-274f-4734-abdc-54095d63930e
All works. Marking Verified.
python-rhsm-1.15.4-5.el7.x86_64
This was fixed in 7.2 & 6.8 |