Bug 1711172

Summary: Removing TLSv1.0, TLSv1.1 from nss.conf
Product: Red Hat Enterprise Linux 7 Reporter: amitkuma
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.6CC: afarley, frenaud, mjahoda, ndehadra, pasik, pvoborni, rcritten, sorlov, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.6-1.el7 Doc Type: Bug Fix
Doc Text:
.IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server's network security service (NSS) module. This update provides the following changes: * When you set up a new server or replica, IdM only enables the strong TLS 1.2 protocol. * On existing IdM servers and replicas, this update disables the weak TLS 1.0 and TLS 1.1 protocols. As a result, new and updated IdM servers and replicas use only the strong TLS 1.2 protocol in the Apache web server's NSS module.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:55:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: Red Hat1710435    

Description amitkuma 2019-05-17 07:13:19 UTC 
Problem:

-> Insights reports the following "Decreased security in httpd when using deprecated TLS protocol version (PCI DSS)"
# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2


Question?
Why we still have the weak protocols still enabled and then have Insights complain about this.


Action Item:
- Use latest NSS version available.
Comment 3 Florence Blanc-Renaud 2019-06-27 12:52:13 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7995
Comment 4 Florence Blanc-Renaud 2019-07-05 09:00:51 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/3d6a2a215ed61255f3275efb67d5e04c474a664b
https://pagure.io/freeipa/c/a5b6f72d4f2a8287c7f095874d71ef536822d20b

Note: the fix applies only to ipa-4-6 branch used for rhel 7.7+
Comment 6 Sergey Orlov 2019-10-08 11:26:38 UTC 
Fix verified for build RHEL-7.8-20191004.0

# rpm -q ipa-server
ipa-server-4.6.6-8.el7.x86_6

# grep NSSProtocol /etc/httpd/conf.d/nss.conf 
#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1"
#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1".
NSSProtocol TLSv1.2
Comment 11 Rob Crittenden 2019-11-01 17:49:58 UTC 
Upstream test
master:
https://pagure.io/freeipa/c/14be2715334e16a2d3f07a6b64bcd6d068ce89c1
Comment 12 Rob Crittenden 2019-11-05 16:32:08 UTC 
ipa-4-8:
https://pagure.io/freeipa/c/686b85b14b14134c32c737c6df2de610153f4323
Comment 13 Sergey Orlov 2019-11-06 08:45:40 UTC 
Test automated at https://github.com/freeipa/freeipa/blob/master/ipatests/test_integration/test_commands.py::TestIPACommand::test_enabled_tls_protocols
Comment 16 errata-xmlrpc 2020-03-31 19:55:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083