Bug 1305779

Summary: Weak ciphers and sslv3 on satellite
Product: Red Hat Satellite Reporter: Abel Lopez <abelopez>
Component: SecurityAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1.5CC: bkearney, howey.vernon, security-response-team, tbrisker
Target Milestone: UnspecifiedKeywords: Security
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-27 12:15:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1153811, 1305938, 1432305    

Description Abel Lopez 2016-02-09 08:51:13 UTC 
Description of problem:
default httpd configs support SSLv3, which causes satellite to get flagged by security auditors checking for SSLv3 POODLE

Version-Release number of selected component (if applicable):
6.1.5

How reproducible:
Every time

Steps to Reproduce:
1. Install satellite
2. use any generic SSL checker
3.

Actual results:
red flag for potentially being vulnerable for having SSLv3, weak ciphers

Expected results:
Should be more secure

Additional info:
Had to edit /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf.d/25-puppet.conf
Comment 1 Kurt Seifried 2016-02-09 16:18:29 UTC 
This is Kurt from Product Security, just to let you know we're keeping an eye on this and I'll be talking to the Satellite 6 people about it. Thanks for reporting this!
Comment 2 Kurt Seifried 2016-02-09 18:03:21 UTC 
So for securing the SSL/TLS config a good resource is:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

For Apache 2.4/OpenSSL 1.0.1e (RHEL7)

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on
Comment 3 Kurt Seifried 2016-04-14 16:16:22 UTC 
docs on most of our ssl/tls services and how to configure them:

https://access.redhat.com/articles/1462183
Comment 4 Tomer Brisker 2016-06-27 12:15:34 UTC 

*** This bug has been marked as a duplicate of bug 1153826 ***