Bug 1847697

Summary: scap stig includes wrong openssl config file
Product: Red Hat Enterprise Linux 8 Reporter: Silvan Nagl <mail>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, carl, ggasparb, mhaicman, przemub, wsato
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-25 06:57:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Silvan Nagl 2020-06-16 20:00:34 UTC 
Recently my server upgraded dovecot from 1:2.2.36-10.el8 to 1:2.3.8-2.el8 breaking imaps completely.
According to documentation I added ssl_dh which points to a tested valid file.
No other changes have been done to the previous server configuration. 


X X dovecot[X]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=X, lip=X, session=<X>
X X dovecot[X]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=X, lip=X, session=<X>


config:
doveconf -n

auth_mechanisms = login
first_valid_uid = 1000
mail_location = maildir:~/mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = imap
ssl = required
ssl_cert = </etc/letsencrypt/live/X/fullchain.pem
ssl_cipher_list = PROFILE=SYSTEM
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  driver = passwd
}
verbose_ssl = yes
Comment 1 Silvan Nagl 2020-06-17 17:06:49 UTC 
Now I just erased everything including all configs, reinstalled them and still.
Same Error.
Comment 2 Michal Hlavinka 2020-06-17 20:15:09 UTC 
I can't reproduce this. When trying to install old, set it up, test, upgrade, test... I just had to regenerate dh data
# openssl dhparam -out /etc/dovecot/dh.pem 4096
and it worked. Even before it, error message was

"""imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user......"""

I'm testing IMAPS connection with:
openssl s_client -connect localhost:993

Your error message seems odd. What is your crypto policy?
/etc/crypto-policies/config

Try changing /etc/dovecot/conf.d/10-ssl.conf ssl_cipher_list value:

ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

If it does not help, could you test default installation with self signed certificate? (it's automatically created)
Comment 3 Silvan Nagl 2020-06-18 17:49:24 UTC 
I did:

dnf erase dovecot
rm -rf /etc/dovecot
dnf install dovecot

cat /etc/crypto-policies/config
DEFAULT

doveconf -Pn
# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0-147.8.1.el8_1.x86_64 x86_64 CentOS Linux release 8.2.2004 (Core)
# Hostname: XXXX
first_valid_uid = 1000
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_dh = </etc/dovecot/dh.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}


openssl s_client -connect localhost:993
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 301 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Jun 18 19:47:55 53c70r dovecot[10139]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=200.146.227.146, lip=5.181.49.190, session=<JMdgYF+oht/IkuOS>
Jun 18 19:47:55 53c70r dovecot[10139]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 7 secs): user=<>, rip=200.146.227.146, lip=5.181.49.190, session=<JMdgYF+oht/IkuOS>
Jun 18 19:48:13 53c70r dovecot[10139]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=::1, lip=::1, secured, session=<+KRwYV+o/pEAAAAAAAAAAAAAAAAAAAAB>
Comment 4 Michal Hlavinka 2020-06-19 08:42:33 UTC 
There seems like some steps missing in your last reproducer, this would generate:
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 55: ssl_dh: Can't open file /etc/dovecot/dh.pem: No such file or directory

how did you create dh.pem ? I've used command from 10-ssl.conf
openssl dhparam -out /etc/dovecot/dh.pem 4096

and it works fine
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready.

I'm testing this on latest rhel8, can't get centos8 machine atm, will retry later.
What openssl version do you have on your system?
# rpm -q openssl
Comment 5 Silvan Nagl 2020-06-20 16:42:46 UTC 
I do use my dh params from my web server so it loads fine and i even tested it with openssl again.
The error message clearly tells it is trying to do something with the certificate not even touching the dh param file at all.
Anyhow i just regenerated it.
Still shows the same error.

rpm -q openssl
openssl-1.1.1c-15.el8.x86_64
Comment 6 Silvan Nagl 2020-06-20 18:50:08 UTC 
I now downgraded to dovecot-1:2.2.36-10.el8.x86_64 again and it works absolutely fine.
I'm kinda disappointed that surprisingly it wasn't a config failure but a upgrade to a newer dovecot which just broke my mail server.
Comment 7 Michal Hlavinka 2020-06-23 09:09:58 UTC 
I've tried several combinations with older and new openssl versions, all with selinux enabled, even tested with FIPS mode and it works all the time. You are either doing something different or your system has some unusual configuration. Which seems probable as so far I do not see anyone else having similar issue. Do you have any idea why your system could be special? Do you have fully updated system with either correctly (re)labeled selinux context or permissive selinux? Do you see any other errors in your logs that could be in any way related to this or that could indicate what is different?
Comment 8 Silvan Nagl 2020-06-23 20:26:19 UTC 
The system has fapolicyd enabled and it uses [DRAFT] DISA STIG for Red Hat Enterprise Linux 8

Additional boot params are in place; slab_nomerge slub_debug=FZP vsyscall=none vm.mmap_rnd_compat_bits mds=full,nosmt fips=0
Comment 9 Michal Hlavinka 2020-06-24 13:34:26 UTC 
That is quite significant information. I can reproduce this when I do remediate_openssl_crypto_policy from scap stig configuration:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh

This updates /etc/pki/tls/openssl.cnf  [crypto_policy] section

and includes
/etc/crypto-policies/back-ends/openssl.config

but this file has wrong format:

@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:.....

instead of correct format in /etc/crypto-policies/back-ends/opensslcnf.config:

CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:....

and this causes the error you see:
error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:.....

In short: scap should include /etc/crypto-policies/back-ends/opensslcnf.config instead (notice opensslcnf.config instead of openssl.config)

I'm reassigning this to scap-security-guide

---------
@Silvan: 
You will have to update  /etc/pki/tls/openssl.cnf to make sure correct file is included.
Comment 10 Silvan Nagl 2020-06-24 15:54:14 UTC 
O wow, this conclusion was perfect. I really appreciate your work!
Thx a lot.
Comment 11 Vojtech Polasek 2020-06-25 06:57:53 UTC 
Hello Silvan, thank you for reporting this. Coincidentally we received a duplicate bug just now, therefore closing this as duplicate. Please kindly follow progress in the other bug.

*** This bug has been marked as a duplicate of bug 1850543 ***
Comment 12 Michal Hlavinka 2020-09-23 10:51:45 UTC 
*** Bug 1836522 has been marked as a duplicate of this bug. ***