Bug 151705
Summary: | Need to update Console Cipher Preferences with new ciphers | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Directory Server | Reporter: | Noriko Hosoi <nhosoi> | ||||||||||||||||
Component: | Admin | Assignee: | Noriko Hosoi <nhosoi> | ||||||||||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||||||
Priority: | medium | ||||||||||||||||||
Version: | 7.1 | CC: | amsharma, jgalipea, rmeggins | ||||||||||||||||
Target Milestone: | DS9.0 | ||||||||||||||||||
Target Release: | --- | ||||||||||||||||||
Hardware: | All | ||||||||||||||||||
OS: | Linux | ||||||||||||||||||
Whiteboard: | |||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||
Last Closed: | 2016-05-06 14:44:50 UTC | Type: | --- | ||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
Embargoed: | |||||||||||||||||||
Bug Depends On: | |||||||||||||||||||
Bug Blocks: | 434915, 495079 | ||||||||||||||||||
Attachments: |
|
Description
Noriko Hosoi
2005-03-21 19:52:19 UTC
The main problems are: 1. There is no way to turn off tls. It is harcoded to "on" in set-activate.c 2. If you de-select the TLS ciphers they will magically re-appear the next time you Configure the admin server. I suspect that what is really happening is that they are defaulting to "on" because they aren't being set in server.xml. 3. It doesn't appear to actually put the TLS cipher strings into server.xml (rsa_des_56_sha, rsa_rc4_56_sha) 4. The TLS tab should just list the two TLS ciphers. The root of the problem is that TLS isn't really handled properly. The Directory server maintains the "master" configuration and it only contains SSL2 and SSL3 config entries. This may be to mirror the NES configuration, I don't know. The Java interface does handle tls separately though which may be part of this disconnect. So I suspect that the TLS tab is slurping in the SSL3 cipher list, seeing that the 2 TLS ciphers aren't listed and it is adding them, defaulting to "on". All but #1 needs to be addressed in the console itself. There is some clever code somewhere that sets ssl2/ssl3 to "off" if all the ciphers are deselected. Perhaps similar code can be created for tls. I wasn't able to determine where this was happening. It would probably be best to have the console set some tls variables to be picked up by the CGI. At least on/off if that can be determined. Unfortunately I'm not much of a java hacker and even less of a java swing hacker. Per today's bug council this bug is being latered to 7.2 We need to revisit the cypher list in 7.2 DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be set to DS8.0. Will make further changes per bug council on 07/24/2007, after this. We need to update CipherPreferenceDialog.java 1) We need to disable all of the SSLv2 ciphers by default 2) We need to add support for the new SSLv3 and TLSv1 ciphers not listed: rsa_rc4_128_sha, rsa_null_sha, rsa_des_56_sha, rsa_rc4_56_sha, rsa_aes_128_sha, rsa_aes_256_sha and any others I may have missed. In order to get the list, the console calls the sec-activate CGI, which pulls the list of sslv2 and sslv3 (note - no tls) ciphers from the pset (cn=encryption,cn=configuration, <admin server SIE>). 3) we should pre-populate the list of ciphers during setup (AdminServer.pm - initial local.conf generation) to be exactly the same as the default list in console.conf NSSCiphers Then the console would show only those ciphers supported by mod_nss 4) Ideally, we would just be able to display the table of ciphers by parsing the strings such as "rsa_rc4_128_sha" without having to hard code the strings inside CipherPreferenceDialog.java. If that's not possible, then the strings should be moved into the properties file to make it easier to update them without having to edit the Java code. Created attachment 476689 [details]
DS: git patch file (master)
Description: Added new ciphers:
SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_NULL_SHA
Also, added cipher names used by the Admin Server/mod_nss:
fips_3des_sha for SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
fips_des_sha for SSL_RSA_FIPS_WITH_DES_CBC_SHA
rsa_rc4_56_sha for TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
rsa_des_56_sha for TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
Created attachment 476690 [details]
AS: git patch file (master)
Description: When a cipher is updated on the Admin Console | Cipher
Preference dialog, NSSCipherSuite value in console.conf is updated
based on the modification. If the cipher is on the TLS list, it
was ignored in sec-activate.c. This patch merges the tls list
into the ssl3 list. Then, the TLS ciphers are also written to
console.conf.
Created attachment 476828 [details]
idm-console-framework: cvs patch file (head)
Description:
1) added new ciphers.
rsa_null_sha, tls_rsa_aes_128_sha, tls_rsa_aes_256_sha
2) support 2 cipher names, one for DS and another for AS.
tls_rsa_export1024_with_des_cbc_sha & rsa_des_56_sha
tls_rsa_export1024_with_rc4_56_sha & rsa_rc4_56_sha
tls_rsa_aes_128_sha & rsa_aes_128_sha
tls_rsa_aes_256_sha & rsa_aes_256_sha
rsa_fips_des_sha & fips_des_sha
rsa_fips_3des_sha & fips_3des_sha
3) added CipherPreferenceDialog, which takes tlsonly or (tlsonly
and dsstyle) options.
. tlsonly does not include SSLV3 ciphers in TLS cipher list
if true
. dsstyle returns DS style cipher names if true
Created attachment 476829 [details]
389-ds-console: git patch file (master)
Description: added new ciphers:
rsa_null_sha, tls_rsa_aes_128_sha, tls_rsa_aes_256_sha
Created attachment 476831 [details]
389-ds-admin-console: git patch file (master)
Description: replaced CipherPreferenceDialog with one which generates
TLS cipher list that does not include SSL3.0-only ciphers to avoid
listing duplicated ciphers on SSL 3.0 pane and TLS pane.
Created attachment 476835 [details]
steps to verify
how to untar the attachment
cd /tmp
tar xvzf /path/to/downloaded/attachment(151705.tar.gz)
on browser
file:///tmp/151705/151705.html
Reviewed by Rich (Thank you!!!) Pushed to master. Directory Server: $ git merge 151705 Updating 5a41728..b7bf3cb Fast-forward ldap/servers/slapd/ssl.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) $ git push Counting objects: 11, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 935 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 5a41728..b7bf3cb master -> master Admin Server: $ git merge work Updating cbd46e4..9e3d762 Fast-forward admserv/cgi-src40/sec-activate.c | 21 +++++++++++++++++++-- 1 files changed, 19 insertions(+), 2 deletions(-) $ git push Counting objects: 9, done. Delta compression using up to 4 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (5/5), 882 bytes, done. Total 5 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git cbd46e4..9e3d762 master -> master idm-console-framework: Checking in client/security/CipherPreferenceDialog.java; /cvs/dirsec/console/src/com/netscape/management/client/security/CipherPreferenceDialog.java,v <-- CipherPreferenceDialog.java new revision: 1.3; previous revision: 1.2 done Checking in client/security/securityResource.properties; /cvs/dirsec/console/src/com/netscape/management/client/security/securityResource.properties,v <-- securityResource.properties new revision: 1.4; previous revision: 1.3 done 389-ds-console: $ git merge work Updating 21eaba8..77b69ba Fast-forward .../admin/dirserv/panel/EncryptionPanel.java | 14 ++++++++++---- 1 files changed, 10 insertions(+), 4 deletions(-) $ git push Counting objects: 17, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (9/9), 844 bytes, done. Total 9 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds-console.git 21eaba8..77b69ba master -> master 389-ds-admin-console: $ git merge work Updating d3e6a17..42c10a6 Fast-forward .../management/admserv/panel/TurnOnSSL.java | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) $ git push Counting objects: 17, done. Delta compression using up to 4 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (9/9), 799 bytes, done. Total 9 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin-console.git d3e6a17..42c10a6 master -> master Created attachment 505577 [details] Screen_Verified [Test scenario] Set up the servers # setup-ds-admin.pl SSL are not enabled. # egrep -i --color nsSSL3 slapd-ID/dse.ldif nsSSL3: off <ami> [root@testvm 151705]# egrep -i --color nsSSL3 /etc/dirsrv/slapd-testvm/dse.ldif nsSSL3: off </ami> # egrep -i --color NSSCipherSuite admin-serv/console.conf NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha, -rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha, -fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha, -rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha <ami> [root@testvm 151705]# egrep -i --color NSSCipherSuite /etc/dirsrv/admin-serv/console.conf NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha, -rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha, -fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha, -rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha </ami> SSL is set up. (FYI: Script setupssl2.sh is available at http://directory.fedoraproject.org/wiki/Howto:SSL) # egrep -i --color nsSSL3 slapd-ID/dse.ldif nsSSL3: on nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+r sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sh a,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc 4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_ aes_256_sha <ami> [root@testvm scripts]# egrep -i --color nsSSL3 /etc/dirsrv/slapd-testvm/dse.ldif nsSSL3: on nsSSL3Ciphers: -rsa_null_md5,+rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sh </ami> DS Console | Configuration | Encryption | Click Cipher: Settings button. Note: "None None MD5" and "RC4 128 MD5" on SSL 3.0 and "AES 128 SHA" and "AES 256 SHA" are added. Disable AES 128 SHA. # egrep tls_rsa_aes_128_sha /etc/dirsrv/slapd-ID/dse.ldif 4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,-tls_rsa_aes_128_sha,+tls_rsa_ Restart the Console and open Cipher Preference dialog. AES 128 SHA is still disabled. <ami> -- Yes, AES 128 SHA is still disabled. </ami> Admin Server AS Console | Configuration | Encryption Click Enable SSL for this serv. Click Use this cipher family: RSA Click Cipher: Settings SSL2.0 SSL3.0 TLS ldapsearch ... -b "cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration Server,cn=Server Group,cn=FQDN,ou=DN,o=NetscapeRoot" "(cn=*)" nsSSL3Ciphers ... nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5, -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_a es_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha Disable SSL3.0, RC2 (Export) 40 MD5 <ami> [root@testvm scripts]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 administration server,cn=server group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=netscaperoot" "(cn=*)" # extended LDIF # # encryption, configuration, admin-serv-testvm, 389 Administration Server, Se rver Group, testvm.pnq.redhat.com, pnq.redhat.com, NetscapeRoot dn: cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot cn: encryption objectClass: nsEncryptionConfig objectClass: top nsCertfile: blank nsKeyfile: blank nsSSL2: off nsSSL3: on nsSSLSessionTimeout: 0 nsSSL3SessionTimeout: 0 nsSSLClientAuth: off nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2 nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5, -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_ae s_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha # RSA, encryption, configuration, admin-serv-testvm, 389 Administration Serve r, Server Group, testvm.pnq.redhat.com, pnq.redhat.com, NetscapeRoot dn: cn=RSA,cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 Administ ration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=Ne tscapeRoot cn: RSA objectClass: nsEncryptionModule objectClass: top nsSSLToken: internal (software) nsSSLPersonalitySSL: Admin-Cert nsSSLActivation: on </ami> ldapsearch ... -b "cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration Server,cn=Server Group,cn=FQDN,ou=DN,o=NetscapeRoot" "(cn=*)" nsSSL3Ciphers ... nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5, -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_a es_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha NSSCipherSuite "-des,-rc2export,-rc4export,-desede3,-rc4,-rc2,-rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha, +rsa_rc4_40_md5,-rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,-rsa_aes_128_sha, +rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha" <ami> ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 administration server,cn=server group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=netscaperoot" "(cn=*)" nsSSL3Ciphers # encryption, configuration, admin-serv-testvm, 389 Administration Server, Se rver Group, testvm.pnq.redhat.com, pnq.redhat.com, NetscapeRoot dn: cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 Administration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeR oot nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5, -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_ae s_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha Restart the servers and check the values match. Note: once SSL on AS is enabled, you need to access the AS with https://host:port. PFA for the screen shots. Marking VERIFIED. |