Bug 1547144

Summary: openwsmand does not support ECDH ciphers
Product: Red Hat Enterprise Linux 7 Reporter: Alois Mahdal <amahdal>
Component: openwsmanAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED ERRATA QA Contact: Martin Kyral <mkyral>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: djez, mkyral
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openwsman-2.6.3-4.git4391e5c.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:09:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1549619, 1551541    

Description Alois Mahdal 2018-02-20 15:38:35 UTC 
Description of problem
======================

While testing bug 1454607 (to enable cipher blacklist), it turned out
that openwsmand does not handle ECDH properly.  That is, if I set cipher
list to eg. ECDH (ie. all ECDH based ciphers), s_client with DEFAULT
set will not be able to connect.

According to @hkario, this could be caused by misconfiguration on
openwsmand part, since ECDH ciphers may require special configuration
calls (which indeed don't appear in downstream shttpd.c).



Version-Release number of selected component
============================================

openwsman-server-2.6.3-3.git4391e5c.el7


How reproducible
================

Always


Steps to Reproduce
==================

 1. set ssl_ciphers_list = ECDH
 2. start up openwsmand
 3. connect with a client with ECDH cipher string, eg.

        openssl s_client -connect $SrvHost:$SrvPort -ciphers ECDH <.


Actual results
==============

SSL handshake failure


Expected results
================

Successful connection (or other failure)


Additional info
===============

Alternatively, you can scan openwsmand port with

    nmap -sV --script ssl-enum-ciphers $SrvHost -p $SrvPort

which will reveal that no ciphers were enabled on the server.

Also this is probably not just ECDH but also other EC* ciphers.
Comment 2 Vitezslav Crhonek 2018-02-28 11:58:42 UTC 
https://github.com/Openwsman/openwsman/pull/103

resolves the issue.
Comment 8 errata-xmlrpc 2018-10-30 11:09:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3200