Bug 151705

Summary: Need to update Console Cipher Preferences with new ciphers
Product: Red Hat Directory Server Reporter: Noriko Hosoi <nhosoi>
Component: AdminAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: amsharma, jgalipea, rmeggins
Target Milestone: DS9.0   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-06 14:44:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 434915, 495079    
Attachments:
Description Flags
DS: git patch file (master)
nhosoi: review?, rmeggins: review+
AS: git patch file (master)
nhosoi: review?, rmeggins: review+
idm-console-framework: cvs patch file (head)
nhosoi: review?, rmeggins: review+
389-ds-console: git patch file (master)
nhosoi: review?, rmeggins: review+
389-ds-admin-console: git patch file (master)
nhosoi: review?, rmeggins: review+
steps to verify
none
Screen_Verified none

Description Noriko Hosoi 2005-03-21 19:52:19 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
Reported by Ulf (ulf.com) at HP:

I looked briefly at this and the UI doesn't seem to fit what it is configuring.  In NES server.xml you can set tls and ssl3 to on or off, and then there's a shared list of ciphers called ssl3tlsciphers.  The UI has two tabs of identical SSL3 and TLS ciphers, except the TLS tab includes two additional TLS-exclusive ciphers.  The customer is OK with the workaround of editing server.xml, so requested TFV is 7.1.

The customer has SSL enabled on their NDS 6.21 Admin Server.
Using the Console, they disabled (i.e., unchecked) all of the SSL 2.0 ciphers, all of the TLS ciphers, and all of the SSL 3.0 ciphers except Triple-DES 168-bit SHA.

After restarting the Admin Server, they relaunched the Console and checked the Encryption settings. They found that their SSL 2.0 and SSL 3.0 cipher settings were retained, but all of the TLS, except for None MD5, were reset to enabled.

Testing has confirmed that the Netscape Console Encryption Settings GUI is broken.
The workaround is to manually edit the /var/opt/netscape/servers/admin-serv/config/server.xml file and change the TLS setting under the <SSLPARAMS> tag. Change tls="on" to tls="off" and restart the Admin Server.

There are a couple of caveats to this workaround:

1) The Netscape Console will still incorrectly shows that the TLS ciphers, except None MD5, as being active.

2) If you use the Netscape Console to make a change to any of the Admin Server encryption settings, it will automatically reset tls="on" in server.xml.


It seems the sec_activate CGI just isn't TLS-aware, it doesn't have the capability of reporting anything about TLS to the Console.  The TLS tab panel is probably being populated in lieu of the information it needs by setSecurityIsDomestic in TurnOnSSL.java.

Ulf 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
explained in the description

Additional info:

Comment 1 Rob Crittenden 2005-03-23 15:44:46 UTC
The main problems are:

1. There is no way to turn off tls. It is harcoded to "on" in set-activate.c
2. If you de-select the TLS ciphers they will magically re-appear the next time
you Configure the admin server. I suspect that what is really happening is that
they are defaulting to "on" because they aren't being set in server.xml.
3. It doesn't appear to actually put the TLS cipher strings into server.xml
(rsa_des_56_sha, rsa_rc4_56_sha)
4. The TLS tab should just list the two TLS ciphers.

The root of the problem is that TLS isn't really handled properly. The Directory
server maintains the "master" configuration and it only contains SSL2 and SSL3
config entries. This may be to mirror the NES configuration, I don't know. The
Java interface does handle tls separately though which may be part of this
disconnect. So I suspect that the TLS tab is slurping in the SSL3 cipher list,
seeing that the 2 TLS ciphers aren't listed and it is adding them, defaulting to
"on".

All but #1 needs to be addressed in the console itself. There is some clever
code somewhere that sets ssl2/ssl3 to "off" if all the ciphers are deselected.
Perhaps similar code can be created for tls. I wasn't able to determine where
this was happening.

It would probably be best to have the console set some tls variables to be
picked up by the CGI. At least on/off if that can be determined.

Unfortunately I'm not much of a java hacker and even less of a java swing hacker.

Comment 2 Orla Hegarty 2005-04-18 23:24:45 UTC
Per today's bug council this bug is being latered to 7.2 

Comment 3 To Ngan 2006-12-12 19:02:00 UTC
We need to revisit the cypher list in 7.2

Comment 4 Chandrasekar Kannan 2007-07-25 19:11:14 UTC
DS7.2 is not a valid milestone anymore. Anything thats set to DS7.2 should be
set to DS8.0. Will make further changes per bug council on 07/24/2007, after this.

Comment 6 Rich Megginson 2007-12-18 19:19:11 UTC
We need to update CipherPreferenceDialog.java
1) We need to disable all of the SSLv2 ciphers by default
2) We need to add support for the new SSLv3 and TLSv1 ciphers not listed:
rsa_rc4_128_sha, rsa_null_sha, rsa_des_56_sha, rsa_rc4_56_sha, rsa_aes_128_sha,
rsa_aes_256_sha and any others I may have missed.

In order to get the list, the console calls the sec-activate CGI, which pulls
the list of sslv2 and sslv3 (note - no tls) ciphers from the pset
(cn=encryption,cn=configuration, <admin server SIE>).
3) we should pre-populate the list of ciphers during setup (AdminServer.pm -
initial local.conf generation) to be exactly the same as the default list in
console.conf NSSCiphers
Then the console would show only those ciphers supported by mod_nss

4) Ideally, we would just be able to display the table of ciphers by parsing the
strings such as "rsa_rc4_128_sha" without having to hard code the strings inside
CipherPreferenceDialog.java.  If that's not possible, then the strings should be
moved into the properties file to make it easier to update them without having
to edit the Java code.

Comment 10 Noriko Hosoi 2011-02-03 01:47:01 UTC
Created attachment 476689 [details]
DS: git patch file (master)

Description: Added new ciphers:
    SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_NULL_SHA
Also, added cipher names used by the Admin Server/mod_nss:
    fips_3des_sha for SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
    fips_des_sha for SSL_RSA_FIPS_WITH_DES_CBC_SHA
    rsa_rc4_56_sha for TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    rsa_des_56_sha for TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

Comment 11 Noriko Hosoi 2011-02-03 02:19:43 UTC
Created attachment 476690 [details]
AS: git patch file (master)

Description: When a cipher is updated on the Admin Console | Cipher
Preference dialog, NSSCipherSuite value in console.conf is updated
based on the modification.  If the cipher is on the TLS list, it
was ignored in sec-activate.c.  This patch merges the tls list
into the ssl3 list.  Then, the TLS ciphers are also written to
console.conf.

Comment 12 Noriko Hosoi 2011-02-03 17:26:12 UTC
Created attachment 476828 [details]
idm-console-framework: cvs patch file (head)

Description:
1) added new ciphers.
   rsa_null_sha, tls_rsa_aes_128_sha, tls_rsa_aes_256_sha
2) support 2 cipher names, one for DS and another for AS.
   tls_rsa_export1024_with_des_cbc_sha & rsa_des_56_sha
   tls_rsa_export1024_with_rc4_56_sha & rsa_rc4_56_sha
   tls_rsa_aes_128_sha & rsa_aes_128_sha
   tls_rsa_aes_256_sha & rsa_aes_256_sha
   rsa_fips_des_sha & fips_des_sha
   rsa_fips_3des_sha & fips_3des_sha
3) added CipherPreferenceDialog, which takes tlsonly or (tlsonly 
   and dsstyle) options.
   . tlsonly does not include SSLV3 ciphers in TLS cipher list
     if true
   . dsstyle returns DS style cipher names if true

Comment 13 Noriko Hosoi 2011-02-03 17:29:48 UTC
Created attachment 476829 [details]
389-ds-console: git patch file (master)

Description: added new ciphers:
    rsa_null_sha, tls_rsa_aes_128_sha, tls_rsa_aes_256_sha

Comment 14 Noriko Hosoi 2011-02-03 17:36:37 UTC
Created attachment 476831 [details]
389-ds-admin-console: git patch file (master)

Description: replaced CipherPreferenceDialog with one which generates
TLS cipher list that does not include SSL3.0-only ciphers to avoid
listing duplicated ciphers on SSL 3.0 pane and TLS pane.

Comment 15 Noriko Hosoi 2011-02-03 17:57:00 UTC
Created attachment 476835 [details]
steps to verify

how to untar the attachment
cd /tmp
tar xvzf /path/to/downloaded/attachment(151705.tar.gz)

on browser
file:///tmp/151705/151705.html

Comment 16 Noriko Hosoi 2011-02-03 18:13:54 UTC
Reviewed by Rich (Thank you!!!)

Pushed to master.

Directory Server:
$ git merge 151705
Updating 5a41728..b7bf3cb
Fast-forward
 ldap/servers/slapd/ssl.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)
$ git push
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 935 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   5a41728..b7bf3cb  master -> master

Admin Server:
$ git merge work
Updating cbd46e4..9e3d762
Fast-forward
 admserv/cgi-src40/sec-activate.c |   21 +++++++++++++++++++--
 1 files changed, 19 insertions(+), 2 deletions(-)
$ git push
Counting objects: 9, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 882 bytes, done.
Total 5 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
   cbd46e4..9e3d762  master -> master

idm-console-framework:
Checking in client/security/CipherPreferenceDialog.java;
/cvs/dirsec/console/src/com/netscape/management/client/security/CipherPreferenceDialog.java,v  <--  CipherPreferenceDialog.java
new revision: 1.3; previous revision: 1.2
done
Checking in client/security/securityResource.properties;
/cvs/dirsec/console/src/com/netscape/management/client/security/securityResource.properties,v  <--  securityResource.properties
new revision: 1.4; previous revision: 1.3
done

389-ds-console:
$ git merge work
Updating 21eaba8..77b69ba
Fast-forward
 .../admin/dirserv/panel/EncryptionPanel.java       |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)
$ git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (9/9), 844 bytes, done.
Total 9 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds-console.git
   21eaba8..77b69ba  master -> master

389-ds-admin-console:
$ git merge work
Updating d3e6a17..42c10a6
Fast-forward
 .../management/admserv/panel/TurnOnSSL.java        |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
$ git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (9/9), 799 bytes, done.
Total 9 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin-console.git
   d3e6a17..42c10a6  master -> master

Comment 17 Amita Sharma 2011-06-20 10:20:01 UTC
Created attachment 505577 [details]
Screen_Verified

[Test scenario]

Set up the servers
# setup-ds-admin.pl

SSL are not enabled.
# egrep -i --color nsSSL3 slapd-ID/dse.ldif
nsSSL3: off

<ami>
[root@testvm 151705]#  egrep -i --color nsSSL3 /etc/dirsrv/slapd-testvm/dse.ldif
nsSSL3: off
</ami>

# egrep -i --color NSSCipherSuite admin-serv/console.conf
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,
 -rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,
 -fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,
 -rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

<ami>
[root@testvm 151705]# egrep -i --color NSSCipherSuite /etc/dirsrv/admin-serv/console.conf
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,
-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,
-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,
-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
</ami>


SSL is set up. (FYI: Script setupssl2.sh is available at http://directory.fedoraproject.org/wiki/Howto:SSL)
# egrep -i --color nsSSL3 slapd-ID/dse.ldif
nsSSL3: on
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+r
 sa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sh
 a,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc
 4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_
 aes_256_sha

<ami>
[root@testvm scripts]# egrep -i --color nsSSL3 /etc/dirsrv/slapd-testvm/dse.ldif
nsSSL3: on
nsSSL3Ciphers: -rsa_null_md5,+rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sh
</ami>


DS Console | Configuration | Encryption | Click Cipher: Settings button.


Note: "None None MD5" and "RC4 128 MD5" on SSL 3.0 and "AES 128 SHA" and "AES 256 SHA" are added.

Disable AES 128 SHA.
# egrep tls_rsa_aes_128_sha /etc/dirsrv/slapd-ID/dse.ldif
 4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,-tls_rsa_aes_128_sha,+tls_rsa_

Restart the Console and open Cipher Preference dialog.  AES 128 SHA is still disabled.

<ami>
-- Yes, AES 128 SHA is still disabled.
</ami>

Admin Server
AS Console | Configuration | Encryption
Click Enable SSL for this serv.
Click Use this cipher family: RSA
Click Cipher: Settings

SSL2.0


SSL3.0


TLS


ldapsearch ...  -b "cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration Server,cn=Server Group,cn=FQDN,ou=DN,o=NetscapeRoot" "(cn=*)" nsSSL3Ciphers
...
nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,
 -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_a
 es_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha

Disable SSL3.0, RC2 (Export) 40 MD5

<ami>
[root@testvm scripts]# ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 administration server,cn=server group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=netscaperoot" "(cn=*)"
# extended LDIF
#

# encryption, configuration, admin-serv-testvm, 389 Administration Server, Se
 rver Group, testvm.pnq.redhat.com, pnq.redhat.com, NetscapeRoot
dn: cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 Administration 
 Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeRoot
cn: encryption
objectClass: nsEncryptionConfig
objectClass: top
nsCertfile: blank
nsKeyfile: blank
nsSSL2: off
nsSSL3: on
nsSSLSessionTimeout: 0
nsSSL3SessionTimeout: 0
nsSSLClientAuth: off
nsSSL2Ciphers: -des,-rc2export,-rc4export,-desede3,-rc4,-rc2
nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,
 -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_ae
 s_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha

# RSA, encryption, configuration, admin-serv-testvm, 389 Administration Serve
 r, Server Group, testvm.pnq.redhat.com, pnq.redhat.com, NetscapeRoot
dn: cn=RSA,cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 Administ
 ration Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=Ne
 tscapeRoot
cn: RSA
objectClass: nsEncryptionModule
objectClass: top
nsSSLToken: internal (software)
nsSSLPersonalitySSL: Admin-Cert
nsSSLActivation: on

</ami>


ldapsearch ...  -b "cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration Server,cn=Server Group,cn=FQDN,ou=DN,o=NetscapeRoot" "(cn=*)" nsSSL3Ciphers
...
nsSSL3Ciphers: -rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,
 -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_a
 es_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha

NSSCipherSuite "-des,-rc2export,-rc4export,-desede3,-rc4,-rc2,-rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,
 +rsa_rc4_40_md5,-rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,-rsa_aes_128_sha,
 +rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha"

<ami>
ldapsearch -x -h localhost -p 1389 -D "cn=Directory Manager" -w Secret123 -b "cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 administration server,cn=server group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=netscaperoot" "(cn=*)" nsSSL3Ciphers

# encryption, configuration, admin-serv-testvm, 389 Administration Server, Se
 rver Group, testvm.pnq.redhat.com, pnq.redhat.com, NetscapeRoot
dn: cn=encryption,cn=configuration,cn=admin-serv-testvm,cn=389 Administration 
 Server,cn=Server Group,cn=testvm.pnq.redhat.com,ou=pnq.redhat.com,o=NetscapeR
 oot
nsSSL3Ciphers: +rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,
 -rsa_null_sha,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5,+rsa_ae
 s_128_sha,+rsa_aes_256_sha,+rsa_des_56_sha,+rsa_rc4_56_sha


Restart the servers and check the values match.
Note: once SSL on AS is enabled, you need to access the AS with https://host:port.

PFA for the screen shots. Marking VERIFIED.