Bug 1553875

Summary: [RFE] (6.3) Enable TLSv1.2 in satellite 6.
Product: Red Hat Satellite Reporter: Satellite Program <pm-sat>
Component: OtherAssignee: Stephen Benjamin <stbenjam>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1.8CC: ahuchcha, anazmy, aruzicka, bkearney, bmidwood, dgupte, ehelms, gkonda, gpayelka, hshukla, inecas, jcallaha, jcrumple, jdeenada, jwildman, lpramuk, mkalyat, mlele, mlinden, mmccune, mmithaiw, mshimura, paldeala, pcreech, rahranja, rajgupta, sauchter, schamilt, shbharad, vijsingh
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-proxy-1.15.6.5-1,foreman-installer-1.15.6.9-1,katello-installer-base-3.4.5.32-1,foreman-installer-1.15.6.10-1,foreman-proxy-1.15.6.6-1,foreman-installer-1.15.6.11-1 Doc Type: Enhancement
Doc Text:
we need docs to outline how to disable TLS 1.0 and 1.1 and go to 1.2 only: 1. Change content of /etc/foreman-installer/custom-hiera.yaml: --- # Foreman Proxy foreman_proxy::tls_disabled_versions: ['1.1'] # Dynflow foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1'] # Puppet 3 puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2' # Apache apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2'] # Candlepin candlepin::tls_versions: ['1.2'] --- 2. Run satellite-installer to apply changes
Story Points: ---
Clone Of: 1331041 Environment:
Last Closed: 2018-06-19 20:17:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1545876    

Comment 2 Mike McCune 2018-05-16 21:48:39 UTC
This RFE is already in Satellite 6.3.1 *except* for the qpid stack which we are including in 6.3.2 with the addition of:

https://bugzilla.redhat.com/show_bug.cgi?id=1570003

Comment 3 Mike McCune 2018-05-23 16:07:32 UTC
custom-hiera.yaml settings to disable TLS 1.1 for all services but dispatch router:


---
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1',
'-TLSv1.1', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']

QPID Dispatch router instructions will be added when avail.

Comment 4 Lukas Pramuk 2018-05-24 06:58:43 UTC
Can you please also paste in Puppet 4 setting for CUs who'll be/are on Puppet4

Comment 5 Lukas Pramuk 2018-05-30 11:45:13 UTC
FailedQA.

@satellite-6.3.1-3.el7sat.noarch
foreman-installer-1.15.6.8-1.el7sat.noarch
katello-installer-base-3.4.5.29-2.el7sat.noarch
foreman-proxy-1.15.6.4-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml
# cat >> /etc/foreman-installer/custom-hiera.yaml << EOF
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']
EOF

2) Run install to apply custom settings 
# satellite-installer

3) Check TLS protocols
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy has issue !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow has issue !!!

8140:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> puppet3 is OK

443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> passenger is OK

5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> crane is OK

8443:
|   TLSv1.1: 
|   TLSv1.2: 

>>> tomcat has issue

Comment 6 Lukas Pramuk 2018-05-30 11:53:50 UTC
Maybe some services weren't refreshed after configuration change (i.e. installer bugs)

4) Restart services
# katello-service restart

5) Check TLS protocols once again
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow issue persists !!!

8443:
|   TLSv1.1: 
|   TLSv1.2: 

>>> tomcat changed its mind, it means there is installer bug (tomcat service is not refreshed after config change)

Comment 7 Satellite Program 2018-05-30 12:15:12 UTC
Upstream bug assigned to stbenjam

Comment 8 Lukas Pramuk 2018-05-30 12:39:23 UTC
For tomcat in previous comment it should be ofc TLS1.2 only: 

8443:
|   TLSv1.2:


For dynflow and smart-proxy the tls setting is not populated >>> installer issue 


 # grep -A2 tls /etc/foreman-proxy/settings.yml 
<empty>

# grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml 
<empty>

# grep -rn tls_disabled_versions /usr/share/foreman*
<empty>

>>> the installer and also foreman-proxy code is missing

Comment 11 Lukas Pramuk 2018-06-12 10:53:18 UTC
FailedQA.

@satellite-6.3.2-1.el7sat.noarch (Snap2)
foreman-installer-1.15.6.9-1.el7sat.noarch
katello-installer-base-3.4.5.31-1.el7sat.noarch
foreman-proxy-1.15.6.5-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

by steps described in comment#5 and comment#6:

5) Check TLS protocols once again (after services restart
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow issue persists !!!


The only progress made is that foreman-proxy tls setting is now populated but still not reflected:
While dynflow_core tls setting is not even populated !!!

# grep -A2 tls /etc/foreman-proxy/settings.yml 
:tls_disabled_versions:
  - 1.1

# grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml 
<empty>



When I quoted the result in /etc/foreman-proxy/settings.yml
:tls_disabled_versions:
  - '1.1'

and restarted foreman-proxy service I got it working

9090:
|   TLSv1.2:

Comment 13 Stephen Benjamin 2018-06-12 11:28:35 UTC
6.3 needs this for the installer:
  https://github.com/theforeman/puppet-foreman_proxy/commit/27b398192b9994a043f2d99fe46170d979eb487b#diff-4046205259659dfbef70f2a1d598d20d

I will look into the quoting issue. It's probably a difference in how the installer is handling things, but without quotes it'll be interpreted as a float, and that's probably correct behaviour.

> YAML.load("\n---\n:tls_disabled_versions:\n  - '1.1'\n")[:tls_disabled_versions].first.class
=> String
> YAML.load("\n---\n:tls_disabled_versions:\n  - 1.1\n")[:tls_disabled_versions].first.class
=> Float

Comment 20 Lukas Pramuk 2018-06-13 11:45:58 UTC
FailedQA.

@satellite-6.3.2-1.el7sat.noarch
foreman-installer-1.15.6.10-1.el7sat.noarch
katello-installer-base-3.4.5.32-1.el7sat.noarch
foreman-proxy-1.15.6.5-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch


by steps described in comment#5 and comment#6:

5) Check TLS protocols once again (after services restart
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.2: 
8140:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
8443:
|   TLSv1.2:

Comment 21 Lukas Pramuk 2018-06-13 11:55:49 UTC
More debug info:

# grep foreman_proxy::tls /etc/foreman-installer/custom-hiera.yaml
foreman_proxy::tls_disabled_versions: ['1.1']   << quoted
    
   vs.

# grep -A2 tls /etc/foreman-proxy/settings.yml 
:tls_disabled_versions:
  - 1.1     << unquoted, so ignored !!!



While dynflow_core is happy:

# grep ::dynflow:: /etc/foreman-installer/custom-hiera.yaml
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']  << quoted  

   vs.

# grep -A1 tls /etc/smart_proxy_dynflow_core/settings.yml 
:tls_disabled_versions: ["1.1"]   << quoted

Comment 28 Lukas Pramuk 2018-06-14 16:23:27 UTC
VERIFIED.

@satellite-6.3.2-1.el7sat.noarch (Snap5)
foreman-installer-1.15.6.11-1.el7sat.noarch
katello-installer-base-3.4.5.32-1.el7sat.noarch
foreman-proxy-1.15.6.6-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml
# cat >> /etc/foreman-installer/custom-hiera.yaml << EOF
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'

# Puppet4 
# hardened by default to TLSv1.2, no need to set
# puppet::server_ssl_protocols: ['TLSv1.2']

# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']
EOF

2) Run installer to apply custom settings 
# satellite-installer

3) Restart services to resolve possibly not refreshed services
# katello-service restart

4) Check TLS protocols
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers $(hostname) -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.2: 
8008:
|   TLSv1.2: 
8140:
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
8443:
|   TLSv1.2: 

5) Upgrade to Puppet4
# subscription-manager repos --enable rhel-7-server-satellite-6.3-puppet4-rpms
# satellite-installer --upgrade-puppet

6) Check Puppet4
# nmap --script +ssl-enum-ciphers $(hostname) -p 8140| grep -e weak -e TLSv -e SSLv
|   TLSv1.2: 

>>> smart-proxy, dynflow_core, puppet3, passenger, crane, tomcat can be restricted to use only TLSv1.2
>>> puppet4 is resctricted to TLSv1.2 by default, however it can be loosened in custom-hiera

Comment 30 Mike McCune 2018-06-14 20:04:58 UTC
1) Configured a 6.3 server with P4 and no configuration overrides so we still see weak ciphers except for P4's 8140:

# for port in 5647 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers sat-r220-06.lab.eng.rdu2.redhat.com -p $port| grep -e weak -e TLSv -e SSLv ; done
5647:
|   TLSv1.0: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|   TLSv1.1: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|   TLSv1.2: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|_  least strength: weak
9090:
|   TLSv1.1: 
|   TLSv1.2: 
8008:
|   TLSv1.2: 
8140:
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2: 
8443:
|   TLSv1.2: 

2) registered a RHEL5 client and installed + configured Puppet 4. Ran puppet:

# puppet agent --test --noop --tags no_such_tag --waitforcert 10
Info: Creating a new SSL key for ibm-x3650m4-01-vm-13.lab.eng.bos.redhat.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
...
Notice: /File[/var/lib/puppet/lib/puppet/type/file_line.rb]/ensure: defined content as '{md5}a1eceef6bd7cbfe99892cf3ee57ef2b4'
Info: Loading facts
Info: Applying configuration version '1529006453'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Applied catalog in 0.05 seconds

worked fine. Marking VERIFIED, Puppet 4 properly supports TLS 1.2 so this is a non-issue.

Comment 32 errata-xmlrpc 2018-06-19 20:17:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1950

Comment 36 Red Hat Bugzilla 2024-01-06 04:25:26 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days