Bug 1552241
| Summary: | Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | pki-core | Assignee: | Christian Heimes <cheimes> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.6 | CC: | bbhavsar, cheimes, mharmsen, msauton |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.1-10.el7 | Doc Type: | No Doc Update |
| Doc Text: |
FIPS ciphers were previously documented for the server in https://bugzilla.redhat.com/show_bug.cgi?id=1539125 - restrict default cipher suite to those ciphers permitted in fips mode; this is merely applying similar logic to the command-line tool.
|
Story Points: | --- |
| Clone Of: | 1540789 | Environment: | |
| Last Closed: | 2018-06-26 16:47:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1540789 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-03-06 19:28:40 UTC
commit 16c9f4aae71708c6cd3e729d60f937551315da67 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christian Heimes <cheimes>
Date: Thu Feb 22 10:22:41 2018 +0100
Modernize sslget's TLS version and cipher suite
Disable all cipher suites unless NSS says it's a FIPS approved suite.
* SSL 2.0 and SSL 3.0 are disabled
* Broken or weak suites with 3DES, RC4 and effective key bits less than
80 bits are disabled.
Fixes: https://pagure.io/dogtagpki/issue/2918
Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
Signed-off-by: Christian Heimes <cheimes>
(cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240)
QE Test Procedure: (1) Install the latest NSS (e. g. - >= nss-3.34.0-4): # rpm -q nss nss-3.34.0-4.el7.x86_64 (2) Install a basic CA: # script -c "pkispawn -s CA -f /root/pki/CA.cfg -vvv" typescript.ca where '/root/pki/ca.cfg' contains: [DEFAULT] pki_admin_password=<password> pki_client_pkcs12_password=<password> pki_ds_password=<password> (3) Create a raw internal password file in '/tmp/password.conf': # cd /var/lib/pki/pki-tomcat/conf # cp -p password.conf /tmp/password.conf # vi /tmp/password.conf * remove "internal=" * delete "internaldb=<password> * delete "replicationdb=<number> (4) Run the following sslget() command: # sslget -d /var/lib/pki/pki-tomcat/alias -w /tmp/password.conf -n 'Server-Cert cert-pki-tomcat' -v -r 'http://<fqdn>' <fqdn>:80 >/tmp/ciphers 2>&1 (5) Edit and sort /tmp/ciphers: # vi /tmp/ciphers * delete the first four lines * delete the last four lines # sort /tmp/ciphers > /tmp/ciphers.sorted # ca /tmp/ciphers.sorted disabled TLS_AES_256_GCM_SHA384 (not FIPS) disabled TLS_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (disabled by default) disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_DES_CBC_SHA (disabled by default) disabled TLS_DHE_DSS_WITH_RC4_128_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_DHE_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (disabled by default) disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS) disabled TLS_ECDHE_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_ECDH_RSA_WITH_RC4_128_SHA (disabled by default) disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA (3DES) disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_DES_CBC_SHA (disabled by default) disabled TLS_RSA_WITH_NULL_MD5 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA256 (disabled by default) disabled TLS_RSA_WITH_NULL_SHA (disabled by default) disabled TLS_RSA_WITH_RC4_128_MD5 (not FIPS) disabled TLS_RSA_WITH_RC4_128_SHA (not FIPS) disabled TLS_RSA_WITH_SEED_CBC_SHA (disabled by default) enabled TLS_AES_128_GCM_SHA256 enabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 enabled TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 enabled TLS_RSA_WITH_AES_128_CBC_SHA enabled TLS_RSA_WITH_AES_128_CBC_SHA256 enabled TLS_RSA_WITH_AES_128_GCM_SHA256 enabled TLS_RSA_WITH_AES_256_CBC_SHA enabled TLS_RSA_WITH_AES_256_CBC_SHA256 enabled TLS_RSA_WITH_AES_256_GCM_SHA384 Verified with build
[root@pki1 conf]# rpm -qa | grep pki
pki-tools-10.5.1-11.el7.x86_64
pki-tks-10.5.1-10.el7pki.noarch
pki-tps-10.5.1-10.el7pki.x86_64
pki-symkey-10.5.1-11.el7.x86_64
pki-base-java-10.5.1-11.el7.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-server-10.5.1-11.el7.noarch
pki-kra-10.5.1-11.el7.noarch
pki-ca-10.5.1-11.el7.noarch
redhat-pki-10.5.1-2.el7pki.noarch
pki-base-10.5.1-11.el7.noarch
redhat-pki-console-theme-10.5.1-2.el7pki.noarch
pki-ocsp-10.5.1-10.el7pki.noarch
redhat-pki-server-theme-10.5.1-2.el7pki.noarch
[root@pki1 ~]# rpm -q nss
nss-3.34.0-4.el7.x86_64
[root@pki1 conf]# cp -p password.conf /tmp/password.conf
[root@pki1 conf]# vi /tmp/password.conf
[root@pki1 conf]# certutil -L -d /var/lib/pki/topology-02-CA/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-topology-02-CA CA u,u,u
subsystemCert cert-topology-02-CA u,u,u
caSigningCert cert-topology-02-CA CA CTu,Cu,Cu
auditSigningCert cert-topology-02-CA CA u,u,Pu
Server-Cert cert-topology-02-CA u,u,u
[root@pki1 conf]# sslget -d /var/lib/pki/topology-02-CA/alias/ -w /tmp/password.conf -n 'Server-Cert cert-topology-02-CA' -v -r 'http://pki1.example.com' pki1.example.com:80 >/tmp/ciphers 2>&1
[root@pki1 conf]# sort /tmp/ciphers > /tmp/ciphers.sorted
[root@pki1 conf]# cat /tmp/ciphers.sorted
disabled TLS_AES_256_GCM_SHA384 (not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256 (not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA (disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA (disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA (disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA (disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA (disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA (disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA (3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA (disabled by default)
disabled TLS_RSA_WITH_NULL_MD5 (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256 (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA (disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5 (not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA (not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA (disabled by default)
enabled TLS_AES_128_GCM_SHA256
enabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA
enabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA
enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA
enabled TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
enabled TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA
enabled TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
enabled TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
enabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
enabled TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
enabled TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
enabled TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
enabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabled TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
enabled TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
enabled TLS_RSA_WITH_AES_128_CBC_SHA
enabled TLS_RSA_WITH_AES_128_CBC_SHA256
enabled TLS_RSA_WITH_AES_128_GCM_SHA256
enabled TLS_RSA_WITH_AES_256_CBC_SHA
enabled TLS_RSA_WITH_AES_256_CBC_SHA256
enabled TLS_RSA_WITH_AES_256_GCM_SHA384
List of ciphers matches with the one mentioned in comment #3, hence marking this as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1979 |