Bug 1469169

Summary: Weak ciphers (3DES) should not be enabled by default anymore
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: pki-coreAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: medium    
Version: 7.4CC: akahat, enewland, jmagne, mharmsen
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.1-1.el7 Doc Type: Enhancement
Doc Text:
Certificate System disables weak 3DES ciphers by default By default, Certificate System now disables ciphers based on the weak Triple Data Encryption Standard (3DES). This increases the security of the system. However, administrators are able to enable these ciphers again, if needed. For details, see https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/configuring-ciphers. As a result, new Certificate System installations have only strong ciphers enabled by default.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:00:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Thorsten Scherf 2017-07-10 14:48:44 UTC 
Description of problem:

I see the following two ciphers enabled by default in the base/server/share/conf/ciphers.info file:

+TLS_RSA_WITH_3DES_EDE_CBC_SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Can we disable those ciphers by default so that they need to be explicitly enabled in case they are needed?

Version-Release number of selected component (if applicable):
pki-core-10.4.1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jack Magne 2017-11-01 00:21:45 UTC 
commit 5ada777e54d0e79588c5516e18eefdbccbe36cea
Author: Jack Magne <jmagne>
Date:   Wed Oct 4 10:50:46 2017 -0700

    Fix Weak ciphers (3DES) should not be enabled by default anymore.
   
    Ticket: https://pagure.io/dogtagpki/issue/2821
   
    This fix simply does the following:
   
    1.  Makes sure that the ciphers below are not enabled by default on new
    installations of a CS subsystem:
   
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   
    2. The informational text file ciphers.info has been updated to reflect the change.
   
    To restate, this only affects brand new installs. Existing instances will have to be
    modified manually, but this is not a huge task.

    3. Since the idea was to remove 3DES related ciphers, decided to disable the rest of
    those involving 3DES. They can be rescued if required by the user.

    Change-Id: I1fbef9fbe0fa509a65e167161e30f41204d4197d

commit 78e4bbc4b696b52036fa18caff5f92c02dc80d88
Comment 3 Amol K 2017-12-18 07:12:31 UTC 
I tested this Bugzilla on 10.5.1-5 version. 

In file /etc/pki/<instance_name>/ciphers.info, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA algorithms are disabled by default.

Verifying this bug.
Comment 8 errata-xmlrpc 2018-04-10 17:00:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925