Bug 1317812
| Summary: | Option to disable particular TLS version and ciphers with pcsd | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Radek Steiger <rsteiger> |
| Component: | pcs | Assignee: | Ivan Devat <idevat> |
| Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.8 | CC: | cfeist, cluster-maint, cluster-qe, idevat, mgandhi, mkolaja, omular, pzimek, rsteiger, sbradley, tlavigne, tojeline |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pcs-0.9.148-6.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause:
There is no possibility to set SSL options and ciphers in pcsd.
Consequence:
If a vulnerability is found in a particular version of SSL/TLS protocol or a cipher or they are considered weak for other reasons, there is no easy way for users to disable the protocol version or cipher.
Fix:
Disable RC4 ciphers and TLS lower than 1.2 by default. Add possibility to configure SSL options and ciphers.
Result:
Weak ciphers are disabled by default. It is possible to set SSL options and ciphers so user can disable weak ciphers in future easily.
|
Story Points: | --- |
| Clone Of: | 1315652 | Environment: | |
| Last Closed: | 2016-05-10 19:27:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 2
Tomas Jelinek
2016-03-16 08:28:48 UTC
On rhel6.8 does not work nmap with --script +ssl-enum-ciphers, so we test it from rhel7 machine. Let us have nodes vm-rhel-6 (this node testing) and vm-rhel-7 (from this node testing). Before fix: [vm-rhel-7 ~] $ nmap -p 2224 -Pn vm-rhel-6 --script +ssl-enum-ciphers |& sed -n '/PORT/,/MAC/p' PORT STATE SERVICE 2224/tcp open efi-mg | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL |_ least strength: weak MAC Address: 52:54:00:D5:E7:7D (QEMU Virtual NIC) After fix: It is possible to set SSL options and ciphers in /etc/sysconfig/pcsd file. This is with default configuration: [vm-rhel-7 ~] $ nmap -p 2224 -Pn vm-rhel-6 --script +ssl-enum-ciphers |& sed -n '/PORT/,/MAC/p' PORT STATE SERVICE 2224/tcp open efi-mg | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL |_ least strength: weak MAC Address: 52:54:00:D5:E7:7D (QEMU Virtual NIC) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0739.html |