Bug 1454607

Summary: Enable explicit cipher suite blacklist in the config file to avoid SWEET32 attack
Product: Red Hat Enterprise Linux 7 Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: openwsmanAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED ERRATA QA Contact: Alois Mahdal <amahdal>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: amahdal, psklenar, security-response-team
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: openwsman-2.6.3-1.git4391e5c.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 14:49:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1465906    

Description Huzaifa S. Sidhpurwala 2017-05-23 07:28:31 UTC 
It was found that openwsman-server might possibly use TripleDES encryption which would make it vulnerable against SWEET. 

Reference:

https://bugzilla.novell.com/show_bug.cgi?id=1034689

Upstream patches:

https://github.com/Openwsman/openwsman/commit/13b9432758ac772c5aac60d19cd9c7021fa1ea4c
https://github.com/Openwsman/openwsman/commit/0d586a3863a5a30ee0fa34545db99889bb7a4c39
Comment 3 Alois Mahdal 2018-02-20 17:33:17 UTC 
A little note:

    ssl_cipher_list=

seems to behave differently than eg. `openssl ciphers ''`.  The latter would disable all ciphers, while the former just leaves the default settings (not calling  SSL_CTX_set_cipher_list() at all).

I've raised the question on openwsman-devel list (no reply yet).

    https://sourceforge.net/p/openwsman/mailman/openwsman-devel/?viewmonth=201802
Comment 4 Alois Mahdal 2018-02-22 16:27:40 UTC 
Tested manually on x86_64.  (I have also created automated test, but it's failing for other reasons so I have not added it to suite yet.)

Turns out that there are multiple ciphers that openwsmand does not really enable, for example:

 *  all EC ciphers (bug 1547144),

 *  some SSLv3 ciphers (eg. ADH-DES-CBC3-SHA), despite sslv3 not being disabled
    by ssl_disable protocols, and openssl ciphers listing the cipher),

 *  probably some others (I haven't done exhaustive test).

Anyway, the main functionality has been implemented; most ciphers work and most importantly, 3DES can be disabled by eg. `ssl_cipher_list=DEFAULT:!3DES`.
Comment 7 errata-xmlrpc 2018-04-10 14:49:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0829