Bug 1540789
Summary: | Make sslget aware of TLSv1_2 ciphers | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> | |
Component: | pki-core | Assignee: | Christian Heimes <cheimes> | |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.6 | CC: | bbhavsar, msauton | |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: |
FIPS ciphers were previously documented for the server in https://bugzilla.redhat.com/show_bug.cgi?id=1539125 - restrict default cipher suite to those ciphers permitted in fips mode; this is merely applying similar logic to the command-line tool.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1552241 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 11:05:22 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1552241 |
Description
Matthew Harmsen
2018-02-01 02:26:37 UTC
commit 27142606930f87023e7e1981dfbc76199d4dd240 (HEAD -> master, origin/master, origin/HEAD) Author: Christian Heimes <cheimes> Date: Thu Feb 22 10:22:41 2018 +0100 Modernize sslget's TLS version and cipher suite Disable all cipher suites unless NSS says it's a FIPS approved suite. * SSL 2.0 and SSL 3.0 are disabled * Broken or weak suites with 3DES, RC4 and effective key bits less than 80 bits are disabled. Fixes: https://pagure.io/dogtagpki/issue/2918 Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8 Signed-off-by: Christian Heimes <cheimes> QE Test Procedure: (1) Install the latest NSS (e. g. - >= nss-3.34.0-4): # rpm -q nss nss-3.34.0-4.el7.x86_64 (2) Install a basic CA: # script -c "pkispawn -s CA -f /root/pki/CA.cfg -vvv" typescript.ca where '/root/pki/ca.cfg' contains: [DEFAULT] pki_admin_password=<password> pki_client_pkcs12_password=<password> pki_ds_password=<password> (3) Create a raw internal password file in '/tmp/password.conf': # cd /var/lib/pki/pki-tomcat/conf # cp -p password.conf /tmp/password.conf # vi /tmp/password.conf * remove "internal=" * delete "internaldb=<password> * delete "replicationdb=<number> (4) Run the following sslget() command: # sslget -d /var/lib/pki/pki-tomcat/alias -w /tmp/password.conf -n 'Server-Cert cert-pki-tomcat' -v -r 'http://<fqdn>' <fqdn>:80 >/tmp/ciphers 2>&1 (5) Edit and sort /tmp/ciphers: # vi /tmp/ciphers * delete the first four lines * delete the last four lines # sort /tmp/ciphers > /tmp/ciphers.sorted # ca /tmp/ciphers.sorted disabled TLS_AES_256_GCM_SHA384 (not FIPS) disabled TLS_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_DES_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_RC4_128_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_NULL_MD5 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA256 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_RSA_WITH_RC4_128_MD5 (not FIPS) disabled TLS_RSA_WITH_RC4_128_SHA (not FIPS) disabled TLS_RSA_WITH_SEED_CBC_SHA (disabled by default) enabled TLS_AES_128_GCM_SHA256 enabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_RSA_WITH_AES_128_CBC_SHA enabled TLS_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_RSA_WITH_AES_256_CBC_SHA enabled TLS_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_RSA_WITH_AES_256_GCM_SHA384 Verified with build: [root@pki1 conf]# rpm -q nss nss-3.36.0-5.el7_5.x86_64 [root@pki1 conf]# rpm -qa pki-* pki-base-java-10.5.9-4.el7.noarch pki-tps-10.5.9-1.el7pki.x86_64 pki-javadoc-10.4.1-10.el7.noarch pki-symkey-10.5.9-4.el7.x86_64 pki-base-10.5.9-4.el7.noarch pki-tools-10.5.9-4.el7.x86_64 pki-server-10.5.9-4.el7.noarch pki-kra-10.5.9-4.el7.noarch pki-ca-10.5.9-4.el7.noarch pki-console-10.5.1-5.el7pki.noarch pki-tks-10.5.9-1.el7pki.noarch pki-ocsp-10.5.9-1.el7pki.noarch Steps performed as per comment #5: [root@pki1 conf]# certutil -L -d /var/lib/pki/topology-02-CA/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-topology-02-CA CA u,u,u subsystemCert cert-topology-02-CA u,u,u caSigningCert cert-topology-02-CA CA CTu,Cu,Cu auditSigningCert cert-topology-02-CA CA u,u,Pu Server-Cert cert-topology-02-CA u,u,u [root@pki1 conf]# sslget -d /var/lib/pki/topology-02-CA/alias/ -w /tmp/password.conf -n 'Server-Cert cert-topology-02-CA' -v -r 'http://pki1.example.com' pki1.example.com:20080 > /tmp/ciphers 2>&1 [root@pki1 conf]# sort /tmp/ciphers > /tmp/ciphers.sorted [root@pki1 conf]# cat /tmp/ciphers.sorted disabled TLS_AES_256_GCM_SHA384 (not FIPS) disabled TLS_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_DES_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_RC4_128_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_NULL_MD5 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA256 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_RSA_WITH_RC4_128_MD5 (not FIPS) disabled TLS_RSA_WITH_RC4_128_SHA (not FIPS) disabled TLS_RSA_WITH_SEED_CBC_SHA (disabled by default) enabled TLS_AES_128_GCM_SHA256 enabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_RSA_WITH_AES_128_CBC_SHA enabled TLS_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_RSA_WITH_AES_256_CBC_SHA enabled TLS_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_RSA_WITH_AES_256_GCM_SHA384 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3195 |