Bug 2117842

Summary: 6.9 -> 6.10 upgrade failed on Candlepin: Failed to open TCP connection to localhost:23443 due to disabling week encryption on tomcat
Product: Red Hat Satellite Reporter: matt jia <mjia>
Component: InstallerAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED NOTABUG QA Contact: Gaurav Talreja <gtalreja>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.10.0CC: ekohlvan
Target Milestone: 6.12.0Keywords: Triaged, Upgrades
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-16 08:33:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description matt jia 2022-08-12 05:31:31 UTC 
Description of problem:

Satellite is configured to disable Weak SSL 2.0 and SSL 3.0 Encryption:

# Tomcat / Candlepin
candlepin::tls_versions: [ '1.2', '1.3' ]

in /etc/foreman-installer/custom-hiera.yaml.

This works fine until 6.10 upgrade. Tomcat has below error:

EVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-127.0.0.1-23443"]
java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.<init>(JSSESocketFactory.java:138)
        at org.apache.tomcat.util.net.jsse.JSSEImplementation.getServerSocketFactory(JSSEImplementation.java:47)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:390)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)

This seems like sslProtocol in server.xml no longer allows an input as sslProtocol="TLSv1.2, TLSv1.3".

After commenting out 

candlepin::tls_versions: [ '1.2', '1.3' ],

the upgrade completes successfully.

Version-Release number of selected component (if applicable):

How reproducible:

Easy


Steps to Reproduce:
1. update /etc/foreman-installer/custom-hiera.yaml with candlepin::tls_versions: [ '1.2', '1.3' ]
2. run satellite-installer
3.

Actual results:

candlepin failed

Expected results:

With candlepin::tls_versions: [ '1.2', '1.3' ], satellite-installer perhaps should only update the sslEnabledProtocols on server.xml.

Additional info:
Comment 1 Ewoud Kohl van Wijngaarden 2022-08-15 14:16:17 UTC 
> Satellite is configured to disable Weak SSL 2.0 and SSL 3.0 Encryption:
> 
> # Tomcat / Candlepin
> candlepin::tls_versions: [ '1.2', '1.3' ]
> 
> in /etc/foreman-installer/custom-hiera.yaml.

This was never needed to disable SSL 2.0 and 3.0. Since the parameter was introduced (https://github.com/theforeman/puppet-candlepin/commit/d749ba5f8961401cb221598bf93839ba67e95eb1) it (by default) only allowed TLS 1.1 and 1.2.

Since https://github.com/theforeman/puppet-candlepin/commit/1243c9779d88a61e8b83f8b533ed358ec6d60b4c (Foreman 2.1, Satellite 6.8) it defaulted to disabling TLS 1.1.

> This works fine until 6.10 upgrade. Tomcat has below error:
> 
> EVERE: Failed to initialize end point associated with ProtocolHandler
> ["http-bio-127.0.0.1-23443"]
> java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException:
> TLSv1.2,TLSv1.3 SSLContext not available
>         at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.<init>(JSSESocketFactory.
> java:138)
>         at
> org.apache.tomcat.util.net.jsse.JSSEImplementation.
> getServerSocketFactory(JSSEImplementation.java:47)
>         at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:390)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
>         at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.
> init(AbstractHttp11JsseProtocol.java:119)
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
>         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:
> 560)
>         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
> 
> This seems like sslProtocol in server.xml no longer allows an input as
> sslProtocol="TLSv1.2, TLSv1.3".

I think it doesn't support TLSv1.3. I'm not sure it ever worked, possibly it just silently ignored it.

> After commenting out 
> 
> candlepin::tls_versions: [ '1.2', '1.3' ],
> 
> the upgrade completes successfully.

This is what you should do, unless you really need TLS 1.3 but I'd consider that an RFE.
Comment 2 matt jia 2022-08-15 22:48:45 UTC 
(In reply to Ewoud Kohl van Wijngaarden from comment #1)
> https://github.com/theforeman/puppet-candlepin/commit/
> 1243c9779d88a61e8b83f8b533ed358ec6d60b4c (Foreman 2.1, Satellite 6.8) it
> defaulted to disabling TLS 1.1.

Okay, that makes sense.

> This is what you should do, unless you really need TLS 1.3 but I'd consider
> that an RFE.

Right, customers like banks need this feature. I guess we could ditch sslProtocol and use sslEnabledProtocols only as per:

https://confluence.atlassian.com/jirakb/how-to-change-the-ssl-tls-protocols-used-by-tomcat-680395044.html

I'd file a RFE for that. Feel to close this one if you want.

Thanks,
Matt
Comment 3 Ewoud Kohl van Wijngaarden 2022-08-16 08:33:28 UTC 
(In reply to matt jia from comment #2)
> (In reply to Ewoud Kohl van Wijngaarden from comment #1)
> > This is what you should do, unless you really need TLS 1.3 but I'd consider
> > that an RFE.
> 
> Right, customers like banks need this feature. I guess we could ditch
> sslProtocol and use sslEnabledProtocols only as per:
> 
> https://confluence.atlassian.com/jirakb/how-to-change-the-ssl-tls-protocols-
> used-by-tomcat-680395044.html

This is an interesting one. I'll have a closer look.

> I'd file a RFE for that. Feel to close this one if you want.

I've opened https://github.com/theforeman/puppet-candlepin/pull/223 to see if TLS 1.3 does work by enabling it by default. My suspicion is that you need to be on RHEL 8. We saw the same thing with Apache: RHEL 7 is simply too old.