Bug 1530546
| Summary: | Allow restricting TLS version in capsule | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Tomer Brisker <tbrisker> |
| Component: | Foreman Proxy | Assignee: | Stephen Benjamin <stbenjam> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2.0 | CC: | ddolguik, ktordeur, lpramuk, mmccune, mvanderw |
| Target Milestone: | 6.4.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-16 18:54:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Tomer Brisker
2018-01-03 10:20:23 UTC
Created from redmine issue http://projects.theforeman.org/issues/21350 Upstream bug assigned to ehelms Upstream bug assigned to stbenjam Upstream bug assigned to stbenjam Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21350 has been resolved. VERIFIED for me. similar to: https://bugzilla.redhat.com/show_bug.cgi?id=1553875#c5 NOTE: There are slightly different settings required for custom-heira.yaml on the Capsule, here is what I used: # Foreman Proxy foreman_proxy::tls_disabled_versions: ['1.0', '1.1'] foreman_proxy::ssl_disabled_ciphers: ['TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_RC4_128_SHA'] # Dynflow foreman_proxy::plugin::dynflow::ssl_disabled_ciphers: ['TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_RC4_128_SHA'] foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.0', '1.1'] # Apache pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2" foreman_proxy_content::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2" apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2'] apache::mod::ssl::ssl_cipher: '!aNULL:!eNULL:!LOW:!DES:!3DES:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS:!ADH:HIGH' #Tomcat candlepin::tls_versions: ['1.2'] # QPID Dispatch foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2'] foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA' Before tuning in custom-heira.yaml # for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers `hostname` -p $port| grep -e weak -e TLSv -e SSLv ; done 5647: | TLSv1.0: | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLSv1.1: | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLSv1.2: | TLS_RSA_WITH_IDEA_CBC_SHA - weak |_ least strength: weak 9090: | TLSv1.1: | TLSv1.2: 8008: | TLSv1.1: | TLSv1.2: 8140: | TLSv1.2: 443: | SSLv3: No supported ciphers found | TLSv1.0: | TLSv1.1: | TLSv1.2: 5000: | SSLv3: No supported ciphers found | TLSv1.0: | TLSv1.1: | TLSv1.2: 8443: | TLSv1.1: | TLSv1.2: After tuning: # for port in 5647 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers `hostname` -p $port| grep -e weak -e TLSv -e SSLv ; done 5647: | TLSv1.2: 9090: | TLSv1.2: 8008: 8140: | TLSv1.2: 443: | SSLv3: No supported ciphers found | TLSv1.2: 5000: | SSLv3: No supported ciphers found | TLSv1.2: 8443: | SSLv3: No supported ciphers found | TLSv1.2: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927 |