Bug 1371315
Summary: | Allow restricting ciphers to TLS 1.2 | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Matthew Harmsen <mharmsen> | ||||||||
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||||||
Severity: | unspecified | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 6.9 | CC: | aakkiang, alee, cfu, cheimes, edewata, ftweedal, jmagne, mharmsen, mkosek, nkinder, rpattath | ||||||||
Target Milestone: | rc | Keywords: | Reopened, TestOnly | ||||||||
Target Release: | 6.9 | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||||||
Doc Text: |
Per comment #5, this bug has been marked as TestOnly, and thus requires no documentation.
|
Story Points: | --- | ||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2017-03-21 11:59:22 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1367026, 1403694 | ||||||||||
Attachments: |
|
Description
Matthew Harmsen
2016-08-29 22:05:04 UTC
I was able to restrict Dogtag to TLSv1.2 only by modifying /etc/pki-ca/server.xml and replacing every occurrence of sslVersionRangeStream="tls1_0:tls1_2" with sslVersionRangeStream="tls1_2:tls1_2": # sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml # /sbin/service pki-cad restart pki-ca (This also sets sslVersionRangeDatagram to tls1_2:tls1_2.) I have verified cipher suites and TLS protocol version with sslscan, Firefox and curl. I have not checked if Dogtag is still able to connect to a LDAP server over TLSv1.2. There is no apparent reason that would prevent Dogtag from talking LDAPs TLSv1.2, though. Created attachment 1196813 [details]
test session and log output
Per request from aakkiang: Moving to ON_QA Given there was no code change and this change was added to enable IdM TLS 1.2 configuration tracked in Bug 1367026, marking as TestOnly bug. Created attachment 1225911 [details]
testlog with TLS1.2
I see the output in the attachment after enabling TLSv1.2. I have also included the server.xml in the attached file. When running sslscan using the secure port (9443) I do not see any of the ciphers being accepted before and after restricting the version to TLS1.2. The ca was installed as part of ipa-server-install.
Did you restart the server? I only see the sed and sslscan commands in your log. After a restart the server should no longer accept any connections with TLS 1.0 and 1.1. From comment 2: sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml /sbin/service pki-cad restart pki-ca Created attachment 1227008 [details]
testlog with TLS1.2
The attachment has the test results. I did ipa-server-install and ran sslscan on the secure and unsecure ports before and after restricting to TLS1.2. When performing sslscan on the secure port I see none of the ciphers are being accepted.
[root@ipaqa64vmh ~]# rpm -q pki-ca pki-ca-9.0.3-51.el6.noarch [root@ipaqa64vmh ~]# rpm -qi pki-ca Name : pki-ca Relocations: (not relocatable) Version : 9.0.3 Vendor: Red Hat, Inc. Release : 51.el6 Build Date: Mon 05 Dec 2016 04:45:59 PM EST Install Date: Thu 08 Dec 2016 08:17:19 AM EST Build Host: x86-029.build.eng.bos.redhat.com Group : System Environment/Daemons Source RPM: pki-core-9.0.3-51.el6.src.rpm Size : 785389 License: GPLv2 Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority Verification steps: 1. ipa-server-install 2. pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o ipacert.p12 -n ipaCert -W <password> 3. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers from TLS1.1 and TLS1.2 4. sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml 5. /sbin/service pki-cad restart pki-ca 6. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers only from TLS1.2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0802.html |