Bug 1553875
Summary: | [RFE] (6.3) Enable TLSv1.2 in satellite 6. | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Satellite Program <pm-sat> |
Component: | Other | Assignee: | Stephen Benjamin <stbenjam> |
Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.1.8 | CC: | ahuchcha, anazmy, aruzicka, bkearney, bmidwood, dgupte, ehelms, gkonda, gpayelka, hshukla, inecas, jcallaha, jcrumple, jdeenada, jwildman, lpramuk, mkalyat, mlele, mlinden, mmccune, mmithaiw, mshimura, paldeala, pcreech, rahranja, rajgupta, sauchter, schamilt, shbharad, vijsingh |
Target Milestone: | Unspecified | Keywords: | FutureFeature, Triaged |
Target Release: | Unused | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | foreman-proxy-1.15.6.5-1,foreman-installer-1.15.6.9-1,katello-installer-base-3.4.5.32-1,foreman-installer-1.15.6.10-1,foreman-proxy-1.15.6.6-1,foreman-installer-1.15.6.11-1 | Doc Type: | Enhancement |
Doc Text: |
we need docs to outline how to disable TLS 1.0 and 1.1 and go to 1.2 only:
1. Change content of /etc/foreman-installer/custom-hiera.yaml:
---
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']
# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']
# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'
# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']
# Candlepin
candlepin::tls_versions: ['1.2']
---
2. Run satellite-installer to apply changes
|
Story Points: | --- |
Clone Of: | 1331041 | Environment: | |
Last Closed: | 2018-06-19 20:17:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1545876 |
Comment 2
Mike McCune
2018-05-16 21:48:39 UTC
custom-hiera.yaml settings to disable TLS 1.1 for all services but dispatch router: --- # Foreman Proxy foreman_proxy::tls_disabled_versions: ['1.1'] # Dynflow foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1'] # Puppet 3 puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2' # Apache apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2'] # Candlepin candlepin::tls_versions: ['1.2'] QPID Dispatch router instructions will be added when avail. Can you please also paste in Puppet 4 setting for CUs who'll be/are on Puppet4 FailedQA. @satellite-6.3.1-3.el7sat.noarch foreman-installer-1.15.6.8-1.el7sat.noarch katello-installer-base-3.4.5.29-2.el7sat.noarch foreman-proxy-1.15.6.4-1.el7sat.noarch rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch 1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml # cat >> /etc/foreman-installer/custom-hiera.yaml << EOF # Foreman Proxy foreman_proxy::tls_disabled_versions: ['1.1'] # Dynflow foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1'] # Puppet 3 puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2' # Apache apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2'] # Candlepin candlepin::tls_versions: ['1.2'] EOF 2) Run install to apply custom settings # satellite-installer 3) Check TLS protocols # for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done 9090: | TLSv1.1: | TLSv1.2: >>> smart-proxy has issue !!! 8008: | TLSv1.1: | TLSv1.2: >>> dynflow has issue !!! 8140: | SSLv3: No supported ciphers found | TLSv1.2: >>> puppet3 is OK 443: | SSLv3: No supported ciphers found | TLSv1.2: >>> passenger is OK 5000: | SSLv3: No supported ciphers found | TLSv1.2: >>> crane is OK 8443: | TLSv1.1: | TLSv1.2: >>> tomcat has issue Maybe some services weren't refreshed after configuration change (i.e. installer bugs) 4) Restart services # katello-service restart 5) Check TLS protocols once again # for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done 9090: | TLSv1.1: | TLSv1.2: >>> smart-proxy issue persists !!! 8008: | TLSv1.1: | TLSv1.2: >>> dynflow issue persists !!! 8443: | TLSv1.1: | TLSv1.2: >>> tomcat changed its mind, it means there is installer bug (tomcat service is not refreshed after config change) Upstream bug assigned to stbenjam For tomcat in previous comment it should be ofc TLS1.2 only:
8443:
| TLSv1.2:
For dynflow and smart-proxy the tls setting is not populated >>> installer issue
# grep -A2 tls /etc/foreman-proxy/settings.yml
<empty>
# grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml
<empty>
# grep -rn tls_disabled_versions /usr/share/foreman*
<empty>
>>> the installer and also foreman-proxy code is missing
FailedQA. @satellite-6.3.2-1.el7sat.noarch (Snap2) foreman-installer-1.15.6.9-1.el7sat.noarch katello-installer-base-3.4.5.31-1.el7sat.noarch foreman-proxy-1.15.6.5-1.el7sat.noarch rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch by steps described in comment#5 and comment#6: 5) Check TLS protocols once again (after services restart # for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done 9090: | TLSv1.1: | TLSv1.2: >>> smart-proxy issue persists !!! 8008: | TLSv1.1: | TLSv1.2: >>> dynflow issue persists !!! The only progress made is that foreman-proxy tls setting is now populated but still not reflected: While dynflow_core tls setting is not even populated !!! # grep -A2 tls /etc/foreman-proxy/settings.yml :tls_disabled_versions: - 1.1 # grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml <empty> When I quoted the result in /etc/foreman-proxy/settings.yml :tls_disabled_versions: - '1.1' and restarted foreman-proxy service I got it working 9090: | TLSv1.2: 6.3 needs this for the installer: https://github.com/theforeman/puppet-foreman_proxy/commit/27b398192b9994a043f2d99fe46170d979eb487b#diff-4046205259659dfbef70f2a1d598d20d I will look into the quoting issue. It's probably a difference in how the installer is handling things, but without quotes it'll be interpreted as a float, and that's probably correct behaviour. > YAML.load("\n---\n:tls_disabled_versions:\n - '1.1'\n")[:tls_disabled_versions].first.class => String > YAML.load("\n---\n:tls_disabled_versions:\n - 1.1\n")[:tls_disabled_versions].first.class => Float FailedQA. @satellite-6.3.2-1.el7sat.noarch foreman-installer-1.15.6.10-1.el7sat.noarch katello-installer-base-3.4.5.32-1.el7sat.noarch foreman-proxy-1.15.6.5-1.el7sat.noarch rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch by steps described in comment#5 and comment#6: 5) Check TLS protocols once again (after services restart # for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done 9090: | TLSv1.1: | TLSv1.2: >>> smart-proxy issue persists !!! 8008: | TLSv1.2: 8140: | SSLv3: No supported ciphers found | TLSv1.2: 443: | SSLv3: No supported ciphers found | TLSv1.2: 5000: | SSLv3: No supported ciphers found | TLSv1.2: 8443: | TLSv1.2: More debug info: # grep foreman_proxy::tls /etc/foreman-installer/custom-hiera.yaml foreman_proxy::tls_disabled_versions: ['1.1'] << quoted vs. # grep -A2 tls /etc/foreman-proxy/settings.yml :tls_disabled_versions: - 1.1 << unquoted, so ignored !!! While dynflow_core is happy: # grep ::dynflow:: /etc/foreman-installer/custom-hiera.yaml foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1'] << quoted vs. # grep -A1 tls /etc/smart_proxy_dynflow_core/settings.yml :tls_disabled_versions: ["1.1"] << quoted VERIFIED.
@satellite-6.3.2-1.el7sat.noarch (Snap5)
foreman-installer-1.15.6.11-1.el7sat.noarch
katello-installer-base-3.4.5.32-1.el7sat.noarch
foreman-proxy-1.15.6.6-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch
1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml
# cat >> /etc/foreman-installer/custom-hiera.yaml << EOF
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']
# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']
# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'
# Puppet4
# hardened by default to TLSv1.2, no need to set
# puppet::server_ssl_protocols: ['TLSv1.2']
# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']
# Candlepin
candlepin::tls_versions: ['1.2']
EOF
2) Run installer to apply custom settings
# satellite-installer
3) Restart services to resolve possibly not refreshed services
# katello-service restart
4) Check TLS protocols
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers $(hostname) -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
| TLSv1.2:
8008:
| TLSv1.2:
8140:
| TLSv1.2:
443:
| SSLv3: No supported ciphers found
| TLSv1.2:
5000:
| SSLv3: No supported ciphers found
| TLSv1.2:
8443:
| TLSv1.2:
5) Upgrade to Puppet4
# subscription-manager repos --enable rhel-7-server-satellite-6.3-puppet4-rpms
# satellite-installer --upgrade-puppet
6) Check Puppet4
# nmap --script +ssl-enum-ciphers $(hostname) -p 8140| grep -e weak -e TLSv -e SSLv
| TLSv1.2:
>>> smart-proxy, dynflow_core, puppet3, passenger, crane, tomcat can be restricted to use only TLSv1.2
>>> puppet4 is resctricted to TLSv1.2 by default, however it can be loosened in custom-hiera
1) Configured a 6.3 server with P4 and no configuration overrides so we still see weak ciphers except for P4's 8140: # for port in 5647 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers sat-r220-06.lab.eng.rdu2.redhat.com -p $port| grep -e weak -e TLSv -e SSLv ; done 5647: | TLSv1.0: | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLSv1.1: | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLSv1.2: | TLS_RSA_WITH_IDEA_CBC_SHA - weak |_ least strength: weak 9090: | TLSv1.1: | TLSv1.2: 8008: | TLSv1.2: 8140: | TLSv1.2: 443: | SSLv3: No supported ciphers found | TLSv1.0: | TLSv1.1: | TLSv1.2: 5000: | SSLv3: No supported ciphers found | TLSv1.0: | TLSv1.1: | TLSv1.2: 8443: | TLSv1.2: 2) registered a RHEL5 client and installed + configured Puppet 4. Ran puppet: # puppet agent --test --noop --tags no_such_tag --waitforcert 10 Info: Creating a new SSL key for ibm-x3650m4-01-vm-13.lab.eng.bos.redhat.com Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml ... Notice: /File[/var/lib/puppet/lib/puppet/type/file_line.rb]/ensure: defined content as '{md5}a1eceef6bd7cbfe99892cf3ee57ef2b4' Info: Loading facts Info: Applying configuration version '1529006453' Info: Creating state file /var/lib/puppet/state/state.yaml Notice: Applied catalog in 0.05 seconds worked fine. Marking VERIFIED, Puppet 4 properly supports TLS 1.2 so this is a non-issue. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1950 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |