Bug 1186488
Summary: | Connections default to using TLSv1.0 and should use TLSv1.2 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | J.C. Molet <jmolet> |
Component: | python-rhsm | Assignee: | candlepin-bugs |
Status: | CLOSED CURRENTRELEASE | QA Contact: | John Sefler <jsefler> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.1 | CC: | alikins, bcourt, bkearney, candlepin-bugs, jmolet, jsefler, vrjain |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | python-rhsm-1.13.6-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1153375 | Environment: | |
Last Closed: | 2016-10-05 19:52:31 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1153375 | ||
Bug Blocks: | 1153811, 1156565, 1156567 |
Comment 1
J.C. Molet
2015-01-27 19:07:55 UTC
jmolet, do you mind verifying if this is already fixed in python rhsm 1.15 please? I have a candlepin server set up to use only SSLv3 (where the poodle exploit exists) #cat /etc/tomcat/server.xml | grep sslEnabledProtocols <Connector SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" SSLProtocol="TLS" keystoreFile="conf/keystore" truststoreFile="conf/keystore" keystorePass="password" keystoreType="PKCS12" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" truststorePass="password" port="8443" sslEnabledProtocols="SSLv3" protocol="HTTP/1.1"/> Meanwhile on the client when I register: #subscription-manager register --username=testuser1 --password=password --org=admin Registering to: jmolet-cp0.usersys.redhat.com:8443/candlepin Unable to verify server's identity: unsupported protocol This was rejected due to incorrect protocol. If I change the server back: #cat /etc/tomcat/server.xml | grep sslEnabledProtocols <Connector SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" SSLProtocol="TLS" keystoreFile="conf/keystore" truststoreFile="conf/keystore" keystorePass="password" keystoreType="PKCS12" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" truststorePass="password" port="8443" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" protocol="HTTP/1.1"/> # subscription-manager register --username=testuser1 --password=password --org=admin Registering to: jmolet-cp0.usersys.redhat.com:8443/candlepin The system has been registered with ID: 83613ef2-274f-4734-abdc-54095d63930e All works. Marking Verified. python-rhsm-1.15.4-5.el7.x86_64 This was fixed in 7.2 & 6.8 |