Bug 1578389
Summary: | Unsupported RSA_ ciphers should be removed from the default ciphers list | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Asha Akkiangady <aakkiang> | |
Component: | pki-core | Assignee: | Christina Fu <cfu> | |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | high | |||
Version: | 7.5 | CC: | akahat, cfu, cpelland, lmiksik, mharmsen, msauton | |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | pki-core-10.5.16-2.el7 | Doc Type: | Bug Fix | |
Doc Text: |
.TLS_RSA_* ciphers are now disabled by default in Certificate System
Previously, by default, TLS_RSA_* ciphers were enabled in Certificate System. However, in environments with certain hardware security modules (HSM) in Federal Information Processing Standard (FIPS) mode, these ciphers are not supported. As a consequence, the SSL handshake failed and the connection was not established. This update disables TLS_RSA_* ciphers by default. As a result, connections work with those HSMs in FIPS mode.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1632120 (view as bug list) | Environment: | ||
Last Closed: | 2019-08-06 13:07:17 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1632120 |
Description
Asha Akkiangady
2018-05-15 13:17:18 UTC
In addition, this bug will cover: * removal of obsolete algorithms from default profiles * adjustment / addition of profiles that conform to KU / EKU consistency in RFC 5280. moved from https://bugzilla.redhat.com/show_bug.cgi?id=1554055#c7 will also address the following issue reported by Alexander Bokovoy (abokovoy) in this bug: CA's CS.cfg contains the following: ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC which is missing SHA384withRSA Please ignore comments #4 and #5. They are taken care of in https://bugzilla.redhat.com/show_bug.cgi?id=1554055 https://review.gerrithub.io/c/dogtagpki/pki/+/424287 commit 04ddc823762b5400f22409bbaceac1a8344708ca (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, ticket-3028-disable-TLS_RSA-ciphers) Author: Christina Fu <cfu> Date: Fri Aug 31 17:08:30 2018 -0700 Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS mode This patch disables the TLS_RSA_* ciphers by default because they do not work with HSMs in FIPS mode. ciphers.info is also updated to reflect the changes. fixes https://pagure.io/dogtagpki/issue/3027 Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172 Test procedure: setup with one of the HSMs, enable FIPS mode. Should be able to create an RSA CA and EC CA and other subsystems. If want to see how the fix was working, could enable one of those TLS_RSA_* ciphers and disable others and see that it doesn't work. submitted again due to reversion caused by another bug. info: https://bugzilla.redhat.com/show_bug.cgi?id=1554055#c13 commit 908514da63dd9364df0f17810d9d41bfb5c596d5 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, ladycfu/ticket-3028-disable-TLS_RSA-ciphers, ticket-3028-disable-TLS_RSA-ciphers) Author: Christina Fu <cfu> Date: Fri Aug 31 17:08:30 2018 -0700 Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS mode This patch disables the TLS_RSA_* ciphers by default because they do not work with HSMs in FIPS mode. ciphers.info is also updated to reflect the changes. fixes https://pagure.io/dogtagpki/issue/3027 Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172 just FYI: The patch re-submitted is exactly the same as what was submitted in comment #7. I tested this BZ on 10.5.16-2.el7 version. I enabled TLS_RSA_* algorithms and as expected they are not working. Marking this Bugzilla as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2228 |