Bug 2216445

Summary: cdn_ssl_version Setting enforces at most TLS1.0 version
Product: Red Hat Satellite Reporter: Pavel Moravec <pmoravec>
Component: Inter Satellite SyncAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.12.0CC: ahumbe, hyu, paji, rlavi
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Moravec 2023-06-21 12:11:00 UTC
Description of problem:
cdn_ssl_version allows to use lower SSL/TLS version for communication via proxy *and* also with upstream Satellite as an alternative of CDN (when Network Sync ISS is used).

The setting has the only two possible values: SSLv23 and TLSv1 (1.0 is meant, per my experiments). That is 1) to coarse, 2) implemented in the way "use *exactly* that version, since:

https://github.com/katello/katello/blob/master/app/lib/katello/resources/cdn.rb#L114

sets "use this SSL/TLS version and no other (lower or higher)" (Zhenech++ ewoud++ for pointing me here)

Since Sat (at least 6.13) requires TLS1.2 as minimum, this setting(*) practically prohibits ISS.

(*) .. sometimes even when I re-set / remove the setting, which is strange; as having Setting[:cdn_ssl_version] = nil should set net.ssl_version = nil shich should not enforce anything - but per my tests, TLS1.0 is used only..?

Let have more fine-tuned setting there and allow also higher values (via s/net.ssl_version/net.min_version/ , ewoud++).


Version-Release number of selected component (if applicable):
A downstream Sat (any version) ISS-ing from 6.13 or higher (since 6.12 allows(?) TLS1.0)


How reproducible:
100%


Steps to Reproduce:
1. Set Administer -> Settings -> Content -> "CDN SSL version" to the highest possible version (TLSv1)
2. Set ISS from another Satellite 6.13 or higher: Content -> Subscriptions -> Manage Manifest -> CDN Configuration -> Network Sync -> provide upstream Sat details (incl. SSL debug cert)
3. Attempt to Update fails with some "tls mismatch" like error.

Optional scenario:
- dont have the CDN SSL version set (yet)
- set up the ISS (even here it might fail! sometimes)
- try to enable a Red Hat repo - unwrapping a repository set shows no available repo, despite the upstream Satellite has synced repos from the Repository Set (the cause is the downstream Satellite fails to contact upstream Satellite due to TLS1.0 and silently claims "no repo to offer")


Actual results:
see above


Expected results:
ISS can be configured and allows to enable a repo even when CDN SSL version config is set (to a reasonable value).


Additional info:

Comment 1 Pavel Moravec 2023-06-23 11:24:23 UTC
Just the tiny fix does not fully work on Sat6.12:

2023-06-23T12:34:59 [I|app|778d47e8] Backtrace for 'Action failed' error (ArgumentError): unrecognized version "TLSv1"
 778d47e8 | /usr/share/ruby/openssl/ssl.rb:171:in `set_minmax_proto_version'
 778d47e8 | /usr/share/ruby/openssl/ssl.rb:171:in `min_version='
 778d47e8 | /usr/share/ruby/openssl/ssl.rb:141:in `block in set_params'

raised when I changed the code that way. I succeeded with (noob) code:

          unless @ssl_version.nil?
              net.min_version = @ssl_version == "SSLv23" ? 0 : OpenSSL::SSL::TLS1_VERSION
          end