| Summary: | NSSProtocol is ignored when NSSFIPS is enabled. | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Bost <rbost> | ||||||||||||
| Component: | mod_nss | Assignee: | Matthew Harmsen <mharmsen> | ||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||
| Priority: | urgent | ||||||||||||||
| Version: | 6.7 | CC: | akasurde, dmasirka, dpal, hokuda, rcritten | ||||||||||||
| Target Milestone: | rc | Keywords: | ZStream | ||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | Unspecified | ||||||||||||||
| OS: | Unspecified | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | mod_nss-1.0.10-6.el6 | Doc Type: | Bug Fix | ||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | |||||||||||||||
| : | 1312491 1322304 (view as bug list) | Environment: | |||||||||||||
| Last Closed: | 2016-05-10 19:41:37 UTC | Type: | Bug | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Bug Depends On: | |||||||||||||||
| Bug Blocks: | 1312491, 1322304 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Robert Bost
2016-02-25 15:56:08 UTC
I think the intention originally was to only allow TLSv1 and disable SSL2 and 3. This was before the range code and TLS 1.1 and 1.2 support. I think this just needs to be set the minimum range to TLS 1.0 by default and let NSSProtocol override it for higher values. I don't see a configuration workaround. Created attachment 1130696 [details]
Patch for rhbz #1312052 - NSSProtocol is ignored when NSSFIPS is enabled.
Created attachment 1130697 [details]
mod_nss.spec file diffs for rhbz #1312052 - NSSProtocol is ignored when NSSFIPS is enabled.
I compiled and performed some minimal testing per the procedure documented in the initial description. Comment on attachment 1130696 [details]
Patch for rhbz #1312052 - NSSProtocol is ignored when NSSFIPS is enabled.
Functionally it is ok, I just have a few suggestions:
1. I think the initial "if (mctx->sc->fips)" check can be removed completely. I don't know that we learn anything by retaining it other than it detected we're in FIPS mode.
2. For the SSL2 and SSL3 checks rather than just logging "Disabling SSL[23]" I'd log that SSL[23] is disabled by FIPS policy or something like that.
3. For the final catch-all in FIPS mode for the case where no valid protocols were provided I'd change the log message to reflect that, something like:
"%s: FIPS mode no valid protocols set, enabling TLSv1.0, TLSv1.1 and TLSv1.2",
protocol_marker
(In reply to Rob Crittenden from comment #6) > Comment on attachment 1130696 [details] > Patch for rhbz #1312052 - NSSProtocol is ignored when NSSFIPS is enabled. > > Functionally it is ok, I just have a few suggestions: > > 1. I think the initial "if (mctx->sc->fips)" check can be removed > completely. I don't know that we learn anything by retaining it other than > it detected we're in FIPS mode. > DONE > 2. For the SSL2 and SSL3 checks rather than just logging "Disabling SSL[23]" > I'd log that SSL[23] is disabled by FIPS policy or something like that. > QUESTION: Should these FIPS messages be marked as WARNING or INFO instead of DEBUG? > 3. For the final catch-all in FIPS mode for the case where no valid > protocols were provided I'd change the log message to reflect that, > something like: > > "%s: FIPS mode no valid protocols set, enabling TLSv1.0, TLSv1.1 and > TLSv1.2", > protocol_marker QUESTION: Should this message be marked as WARNING rather than INFO? I think WARNING for the first, INFO for the second. Created attachment 1130895 [details]
Patch for rhbz #1312052 - NSSProtocol is ignored when NSSFIPS is enabled.
Attached revised patch for your review.
Once again, I ran a number of tests to make certain that it still works.
Comment on attachment 1130697 [details]
mod_nss.spec file diffs for rhbz #1312052 - NSSProtocol is ignored when NSSFIPS is enabled.
LGTM
Verified using mod_nss :: mod_nss-1.0.10-6.el6.x86_64 Please see attachments for verification steps and console.log. Created attachment 1132791 [details]
console.log
Created attachment 1132792 [details]
httpd_error_access_log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0751.html |