Bug 1371315

Summary: Allow restricting ciphers to TLS 1.2
Product: Red Hat Enterprise Linux 6 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: aakkiang, alee, cfu, cheimes, edewata, ftweedal, jmagne, mharmsen, mkosek, nkinder, rpattath
Target Milestone: rcKeywords: Reopened, TestOnly
Target Release: 6.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Per comment #5, this bug has been marked as TestOnly, and thus requires no documentation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 11:59:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1367026, 1403694    
Attachments:
Description Flags
test session and log output
none
testlog with TLS1.2
none
testlog with TLS1.2 none

Description Matthew Harmsen 2016-08-29 22:05:04 UTC 
From CS/DS meeting of 08/29/2016 - TLS 1.2 requirements

    Must allow for restricting ciphers to TLS 1.2.  This is something that
    should be tested by QE (and we need to document).

    mharmsen to file RHEL 6.9 pki-core BZ so QE can verify.

    Ask Christian to put details on configuration in the bug and set to MODIFIED.
Comment 2 Christian Heimes 2016-09-01 12:39:09 UTC 
I was able to restrict Dogtag to TLSv1.2 only by modifying /etc/pki-ca/server.xml and replacing every occurrence of sslVersionRangeStream="tls1_0:tls1_2" with sslVersionRangeStream="tls1_2:tls1_2":

# sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
# /sbin/service pki-cad restart pki-ca

(This also sets sslVersionRangeDatagram to tls1_2:tls1_2.)

I have verified cipher suites and TLS protocol version with sslscan, Firefox and curl. I have not checked if Dogtag is still able to connect to a LDAP server over TLSv1.2. There is no apparent reason that would prevent Dogtag from talking LDAPs TLSv1.2, though.
Comment 3 Christian Heimes 2016-09-01 12:39:51 UTC 
Created attachment 1196813 [details]
test session and log output
Comment 4 Matthew Harmsen 2016-11-14 19:36:18 UTC 
Per request from aakkiang: Moving to ON_QA
Comment 5 Martin Kosek 2016-11-15 14:33:46 UTC 
Given there was no code change and this change was added to enable IdM TLS 1.2 configuration tracked in Bug 1367026, marking as TestOnly bug.
Comment 6 Roshni 2016-11-29 16:04:14 UTC 
Created attachment 1225911 [details]
testlog with TLS1.2

I see the output in the attachment after enabling TLSv1.2. I have also included the server.xml in the attached file. When running sslscan using the secure port (9443) I do not see any of the ciphers being accepted before and after restricting the version to TLS1.2. The ca was installed as part of ipa-server-install.
Comment 7 Christian Heimes 2016-11-30 18:04:43 UTC 
Did you restart the server? I only see the sed and sslscan commands in your log. After a restart the server should no longer accept any connections with TLS 1.0 and 1.1.

From comment 2:

sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
/sbin/service pki-cad restart pki-ca
Comment 8 Roshni 2016-12-01 19:59:32 UTC 
Created attachment 1227008 [details]
testlog with TLS1.2

The attachment has the test results. I did ipa-server-install and ran sslscan on the secure and unsecure ports before and after restricting to TLS1.2. When performing sslscan on the secure port I see none of the ciphers are being accepted.
Comment 10 Roshni 2016-12-08 18:39:04 UTC 
[root@ipaqa64vmh ~]# rpm -q pki-ca
pki-ca-9.0.3-51.el6.noarch
[root@ipaqa64vmh ~]# rpm -qi pki-ca
Name        : pki-ca                       Relocations: (not relocatable)
Version     : 9.0.3                             Vendor: Red Hat, Inc.
Release     : 51.el6                        Build Date: Mon 05 Dec 2016 04:45:59 PM EST
Install Date: Thu 08 Dec 2016 08:17:19 AM EST      Build Host: x86-029.build.eng.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: pki-core-9.0.3-51.el6.src.rpm
Size        : 785389                           License: GPLv2
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority


Verification steps:

1. ipa-server-install
2. pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o ipacert.p12 -n ipaCert -W <password>
3. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers from TLS1.1 and TLS1.2
4. sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
5. /sbin/service pki-cad restart pki-ca
6. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers only from TLS1.2
Comment 12 errata-xmlrpc 2017-03-21 11:59:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0802.html