Bug 1586271
Summary: | SSL 64-bit Block Size Cipher Suites Supported (SWEET32) | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Taft Sanders <tasander> |
Component: | Security | Assignee: | Tomer Brisker <tbrisker> |
Status: | CLOSED ERRATA | QA Contact: | Mirek Długosz <mzalewsk> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3.1 | CC: | ajoseph, ktordeur, lzap, mcorr, mhulan, pcreech, tbrisker |
Target Milestone: | 6.5.0 | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-14 12:37:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Taft Sanders
2018-06-05 20:28:19 UTC
Essentially the default configuration needs to be changed, e.g. all DES3 removed basically, a good place to help is https://mozilla.github.io/server-side-tls/ssl-config-generator/ Created redmine issue http://projects.theforeman.org/issues/23844 from this bug Upstream bug assigned to tbrisker Upstream bug assigned to tbrisker Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/23844 has been resolved. As of Satellite 6.5 snap 10, all DES filters are disabled on default installation: #v+ # nmap -sT -PN -p 443 localhost --script=ssl-enum-ciphers.nse Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-09 18:01 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00095s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds #v- Verified on: Satellite 6.5 snap 10 pulp-server-2.18.0-0.1.rc.el7sat.noarch satellite-6.5.0-5.beta.el7sat.noarch katello-3.10.0-0.6.rc1.el7sat.noarch foreman-1.20.1.3-1.el7sat.noarch Reproduced for comparison on: Satellite 6.4.1 snap 2 pulp-server-2.16.4.1-1.el7sat.noarch foreman-1.18.0.39-1.el7sat.noarch katello-3.7.0-8.el7sat.noarch satellite-6.4.1-1.el7sat.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:1222 |