Bug 1713082
| Summary: | When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Rob Crittenden <rcritten> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.0 | CC: | cheimes, ksiddiqu, pvoborni, rcritten, sumenon, tscherf, twoerner |
| Target Milestone: | rc | ||
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 20:53:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Rob Crittenden
2019-05-22 19:59:06 UTC
We cannot use the system-wide crypto policies for IPA yet. The default policy enables TLS 1.3, but there are some compatibility issues with TLS 1.3 and post-handshake authentication. The current fix only enables TLS 1.2 by default and prepares TLS 1.3 support for a future release. Fixed upstream master: https://pagure.io/freeipa/c/c484d79ecfa1cc284b47b88377a4c2da23b9db2f https://pagure.io/freeipa/c/b57c818fab3bb9627a8c287766cdb5bd8071c837 [root@master ~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf
#SSLProtocol all -SSLv3
SSLProtocol TLSv1.2
[root@master ~]# openssl s_client -connect master.testrelm.test:443 -tls1_1
CONNECTED(00000003)
140335361099584:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 133 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1566993157
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
[root@master ~]# openssl s_client -connect master.testrelm.test:443 -tls1_3
CONNECTED(00000003)
140345829889856:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 246 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[root@master ~]# openssl s_client -connect master.testrelm.test:443 -tls1_2
CONNECTED(00000003)
depth=1 O = TESTRELM.TEST, CN = Certificate Authority
verify return:1
depth=0 O = TESTRELM.TEST, CN = master.testrelm.test
verify return:1
---
Certificate chain
0 s:O = TESTRELM.TEST, CN = master.testrelm.test
i:O = TESTRELM.TEST, CN = Certificate Authority
1 s:O = TESTRELM.TEST, CN = Certificate Authority
i:O = TESTRELM.TEST, CN = Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPzCCA6egAwIBAgIBCTANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNU
UkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkw
ODI4MTA1OTU1WhcNMjEwODI4MTA1OTU1WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5U
RVNUMR0wGwYDVQQDDBRtYXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKoI7YVx3yEqdkgUKMvj03NgE1vXVuDrXKkmxHIe
GTI/2Ty6mmTmfIY8DzzhUU2P0JVRFl7VUWHk00QFN+itQ4OM3oRXr/Fq5QhHuoNQ
2EJMefHCV358Gj/LlGP0f6m94WEKnX+/dKArS01zXrUCUd6dVd1q+BGi6N8eEAM5
ewaXWJEcafQYWvGKwVuqj70/aaMiOycmUOvGaAybs51GlPR+91qA0HrJOPkQu6FR
GQvzAP7wRaUVXtomckUHvgZHo7FJLaNSv5b+fKG19/jvEsSKOpIdUWoW+BaU13Cn
jNc6RGRbiPkGzYTE692WAbbWhZv64SRFJpUM0Gk3SC3Xl3MCAwEAAaOCAdMwggHP
MB8GA1UdIwQYMBaAFBuHcUJK9UDP1ofDpagJS1gvOBNPMD8GCCsGAQUFBwEBBDMw
MTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29j
c3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3Qv
aXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwG
A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTFvDv77J45g9C1
uuVFOmk7wGjNxTCBogYDVR0RBIGaMIGXghRtYXN0ZXIudGVzdHJlbG0udGVzdKA3
BgorBgEEAYI3FAIDoCkMJ0hUVFAvbWFzdGVyLnRlc3RyZWxtLnRlc3RAVEVTVFJF
TE0uVEVTVKBGBgYrBgEFAgKgPDA6oA8bDVRFU1RSRUxNLlRFU1ShJzAloAMCAQGh
HjAcGwRIVFRQGxRtYXN0ZXIudGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOC
AYEAPuw0vPEaH9cnhfiwbDuiMT8EwWypaF1YREM1h4m7B70dvHGT54Ys6+rbMI/p
MjZQB/xcawulSFxVPUmw6CDvLWsOxOUPb9lwBGk2ytf9UKhFvnmh+BBGX7NFsXNk
337LfLfk2vq6FWWu8VIDfj/qegsJnUiDcbd57G8intSO9dfD/YNSphrzsP3tQHoU
8WznPbAE/V6yiOuLys6YVwYAVnvB//sr5W+h630WKxMAa2BtnLb9loFAXVlFH5R5
wd5COnIVX2M0rW0vVa1vBylp56MeFyXXne5HaybS5se9QwVPSmkVwMQ8XZMTLOLW
cNH0Q9qx0J+4iBXMegqymUqIZWEpNGNoFEj7rE3kE1LroEi5q4euPw6+ZdjQof5q
gNJTbfFb9vF09gOENUwswAoiZoEVHiZwks24Luu8qJpa+3D2Y23rQyJQ+b7BbyvZ
J93ZZnJg6gPF2Ghvyr2exzzYgcclNbvKUQxg5+LB41uRD8XWL8HyO7GBaDm82df7
bZRs
-----END CERTIFICATE-----
subject=O = TESTRELM.TEST, CN = master.testrelm.test
issuer=O = TESTRELM.TEST, CN = Certificate Authority
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3216 bytes and written 324 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A1C7CF7A8C789FC5E7FD31390B8FC40CB09C9E728A3FE9C00E011EDD939C1D68
Session-ID-ctx:
Master-Key: 105CD7ADDADDBC050A8BD42D35BB2F42C2D0AD3C96ACC43DBEC6FA439625A0755DF53518379A294192B5C97DB062265C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 9c c0 33 12 6f 58 f4 85-4c 70 7c 94 ac b4 a1 e5 ..3.oX..Lp|.....
0010 - 3d 2d 84 ed f4 78 63 27-6a 42 7e 62 cb 50 db ff =-...xc'jB~b.P..
0020 - 45 55 15 1d 15 d9 46 fe-91 27 95 f9 12 94 ed 5b EU....F..'.....[
0030 - 3a 1f 7f 42 2d 57 49 29-c4 7c c1 85 7d 33 36 b2 :..B-WI).|..}36.
0040 - c7 0d 75 e2 85 a0 bf cb-94 9f 9d ab fa c0 6f 95 ..u...........o.
0050 - c1 73 16 01 30 e4 70 27-51 f7 95 54 68 8b 99 e9 .s..0.p'Q..Th...
0060 - b9 9a 2a aa d0 8d b3 d6-1a 2a 4f 67 31 1f 6e 42 ..*......*Og1.nB
0070 - 47 f4 03 59 f1 21 b2 91-ff 54 bc bf f4 c0 a6 36 G..Y.!...T.....6
0080 - a8 33 a8 2d 54 75 e2 72-e0 b8 3e 11 72 99 22 e6 .3.-Tu.r..>.r.".
0090 - 15 90 d7 0b 74 1d 6f 2a-bb 94 4e a5 22 24 b2 99 ....t.o*..N."$..
00a0 - 39 31 8e 0a ff 02 d0 00-e9 4a a4 17 40 33 0c ca 91.......J..@3..
00b0 - 1c 21 ac a5 ff d0 b7 f9-e1 b2 c8 ca c4 28 48 cb .!...........(H.
00c0 - fa 6b e5 a7 72 05 13 65-f0 33 37 87 8b e0 f2 91 .k..r..e.37.....
00d0 - 29 7f 0e a1 e1 44 e5 64-47 ae 7b 98 9d a8 26 e2 )....D.dG.{...&.
Start Time: 1566993163
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
^C
[root@master ~]# rpm -q ipa-server
ipa-server-4.8.0-9.module+el8.1.0+4011+fd4be199.x86_64
[root@master ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3348 |