Bug 1552241
Summary: | Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | pki-core | Assignee: | Christian Heimes <cheimes> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.6 | CC: | bbhavsar, cheimes, mharmsen, msauton |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.1-10.el7 | Doc Type: | No Doc Update |
Doc Text: |
FIPS ciphers were previously documented for the server in https://bugzilla.redhat.com/show_bug.cgi?id=1539125 - restrict default cipher suite to those ciphers permitted in fips mode; this is merely applying similar logic to the command-line tool.
|
Story Points: | --- |
Clone Of: | 1540789 | Environment: | |
Last Closed: | 2018-06-26 16:47:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1540789 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2018-03-06 19:28:40 UTC
commit 16c9f4aae71708c6cd3e729d60f937551315da67 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH) Author: Christian Heimes <cheimes> Date: Thu Feb 22 10:22:41 2018 +0100 Modernize sslget's TLS version and cipher suite Disable all cipher suites unless NSS says it's a FIPS approved suite. * SSL 2.0 and SSL 3.0 are disabled * Broken or weak suites with 3DES, RC4 and effective key bits less than 80 bits are disabled. Fixes: https://pagure.io/dogtagpki/issue/2918 Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8 Signed-off-by: Christian Heimes <cheimes> (cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240) QE Test Procedure: (1) Install the latest NSS (e. g. - >= nss-3.34.0-4): # rpm -q nss nss-3.34.0-4.el7.x86_64 (2) Install a basic CA: # script -c "pkispawn -s CA -f /root/pki/CA.cfg -vvv" typescript.ca where '/root/pki/ca.cfg' contains: [DEFAULT] pki_admin_password=<password> pki_client_pkcs12_password=<password> pki_ds_password=<password> (3) Create a raw internal password file in '/tmp/password.conf': # cd /var/lib/pki/pki-tomcat/conf # cp -p password.conf /tmp/password.conf # vi /tmp/password.conf * remove "internal=" * delete "internaldb=<password> * delete "replicationdb=<number> (4) Run the following sslget() command: # sslget -d /var/lib/pki/pki-tomcat/alias -w /tmp/password.conf -n 'Server-Cert cert-pki-tomcat' -v -r 'http://<fqdn>' <fqdn>:80 >/tmp/ciphers 2>&1 (5) Edit and sort /tmp/ciphers: # vi /tmp/ciphers * delete the first four lines * delete the last four lines # sort /tmp/ciphers > /tmp/ciphers.sorted # ca /tmp/ciphers.sorted disabled TLS_AES_256_GCM_SHA384 (not FIPS) disabled TLS_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_DES_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_RC4_128_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_NULL_MD5 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA256 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_RSA_WITH_RC4_128_MD5 (not FIPS) disabled TLS_RSA_WITH_RC4_128_SHA (not FIPS) disabled TLS_RSA_WITH_SEED_CBC_SHA (disabled by default) enabled TLS_AES_128_GCM_SHA256 enabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_RSA_WITH_AES_128_CBC_SHA enabled TLS_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_RSA_WITH_AES_256_CBC_SHA enabled TLS_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_RSA_WITH_AES_256_GCM_SHA384 Verified with build [root@pki1 conf]# rpm -qa | grep pki pki-tools-10.5.1-11.el7.x86_64 pki-tks-10.5.1-10.el7pki.noarch pki-tps-10.5.1-10.el7pki.x86_64 pki-symkey-10.5.1-11.el7.x86_64 pki-base-java-10.5.1-11.el7.noarch pki-console-10.5.1-5.el7pki.noarch pki-server-10.5.1-11.el7.noarch pki-kra-10.5.1-11.el7.noarch pki-ca-10.5.1-11.el7.noarch redhat-pki-10.5.1-2.el7pki.noarch pki-base-10.5.1-11.el7.noarch redhat-pki-console-theme-10.5.1-2.el7pki.noarch pki-ocsp-10.5.1-10.el7pki.noarch redhat-pki-server-theme-10.5.1-2.el7pki.noarch [root@pki1 ~]# rpm -q nss nss-3.34.0-4.el7.x86_64 [root@pki1 conf]# cp -p password.conf /tmp/password.conf [root@pki1 conf]# vi /tmp/password.conf [root@pki1 conf]# certutil -L -d /var/lib/pki/topology-02-CA/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-topology-02-CA CA u,u,u subsystemCert cert-topology-02-CA u,u,u caSigningCert cert-topology-02-CA CA CTu,Cu,Cu auditSigningCert cert-topology-02-CA CA u,u,Pu Server-Cert cert-topology-02-CA u,u,u [root@pki1 conf]# sslget -d /var/lib/pki/topology-02-CA/alias/ -w /tmp/password.conf -n 'Server-Cert cert-topology-02-CA' -v -r 'http://pki1.example.com' pki1.example.com:80 >/tmp/ciphers 2>&1 [root@pki1 conf]# sort /tmp/ciphers > /tmp/ciphers.sorted [root@pki1 conf]# cat /tmp/ciphers.sorted disabled TLS_AES_256_GCM_SHA384 (not FIPS) disabled TLS_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_DES_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_RC4_128_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_NULL_MD5 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA256 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_RSA_WITH_RC4_128_MD5 (not FIPS) disabled TLS_RSA_WITH_RC4_128_SHA (not FIPS) disabled TLS_RSA_WITH_SEED_CBC_SHA (disabled by default) enabled TLS_AES_128_GCM_SHA256 enabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_RSA_WITH_AES_128_CBC_SHA enabled TLS_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_RSA_WITH_AES_256_CBC_SHA enabled TLS_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_RSA_WITH_AES_256_GCM_SHA384 List of ciphers matches with the one mentioned in comment #3, hence marking this as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1979 |