Bug 2134436

Summary: [RFE] Let Apache adhere to system crypto policies
Product: Red Hat Satellite Reporter: Ganesh Payelkar <gpayelka>
Component: InstallationAssignee: Ewoud Kohl van Wijngaarden <ekohlvan>
Status: CLOSED ERRATA QA Contact: Griffin Sullivan <gsulliva>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.11.3CC: ahumbe, dsinglet, ehelms, ekohlvan, gsulliva, pdudley
Target Milestone: 6.14.0Keywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-08 14:18:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ganesh Payelkar 2022-10-13 12:24:47 UTC 
Description of problem:

"Default Apache to using system ciphers" and then in the body say that both SSLCipherSuite and SSLProxyCipherSuite should default to PROFILE=system

Version-Release number of selected component (if applicable):
satellite-6.11.3

How reproducible:
Insights warning 

Actual results:

conf.d/05-foreman-ssl.conf:  SSLProxyEngine On
conf.modules.d/ssl.conf:  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
conf.modules.d/ssl.conf:  SSLProtocol ALL -TLSv1 -TLSv1.1


Expected results:


Additional info:
We are getting an insight warning for satellite 6.11 + RHEL 8 

Insights security alert 'Decreased security: httpd crypto-policies overridden' 


change the options SSLProtocol, SSLCipherSuite and SSLProxyCipherSuite in the configuration in the /etc/httpd directory.
Remove any SSLProtocol lines.
 
Change the values of SSLCipherSuite or SSLProxyCipherSuite accordingly:
 SSLCipherSuite PROFILE=SYSTEM
 SSLProxyCipherSuite PROFILE=SYSTEM
 
restart the httpd service:
  # systemctl restart httpd.service
Comment 1 Bryan Kearney 2022-10-13 16:04:31 UTC 
Upstream bug assigned to ekohlvan
Comment 2 Bryan Kearney 2022-10-13 16:04:33 UTC 
Upstream bug assigned to ekohlvan
Comment 5 Bryan Kearney 2022-10-24 20:04:23 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35629 has been resolved.
Comment 6 Griffin Sullivan 2023-05-15 17:15:35 UTC 
Verified on stream snap 

Satellite is adhering to custom system policies.

Steps:

1) Follow documentation for customizing system wide cryptographic policies with sub-policies: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#customizing-system-wide-cryptographic-policies-with-subpolicies_using-the-system-wide-cryptographic-policies

Results:

# cat /etc/crypto-policies/state/CURRENT.pol | grep rsa_size
min_rsa_size = 3072

# nmap --script ssl-enum-ciphers localhost -p 443
Starting Nmap 7.70 ( https://nmap.org ) at 2023-05-15 12:01 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Other addresses for localhost (not scanned): ::1

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
Comment 7 Griffin Sullivan 2023-05-15 17:18:25 UTC 
Not writing a new test for this BZ as it has more to do with RHEL and Insights than Satellite itself. The changes made were to have Satellite follow the system's settings for crypto policies.
Comment 10 errata-xmlrpc 2023-11-08 14:18:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.14 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6818