Bug 2222665

Summary: Connect pcsd TLS configuration to RHEL crypto policies
Product: Red Hat Enterprise Linux 9 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: NEW --- QA Contact: cluster-qe <cluster-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: cluster-maint, idevat, mlisik, mpospisi, omular, tojeline
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Jelinek 2023-07-13 11:53:57 UTC 
Description of problem:
Currently, it is possible to configure TLS ciphers and other options used by pcsd in /etc/sysconfig/pcsd. There is a default value hardcoded in pcsd source. RHEL (and Fedora) provides a system-wide crypto policies framework, which allows to configure TLS settings in one place for the entire OS and all applications. This has a benefit of easy management, when disabling a weak cipher can be done in a single place. Pcsd should connect to this framework.


Version-Release number of selected component (if applicable):
pcs-0.11.7


How reproducible:
always, easily


Steps to Reproduce:
1. update-crypto-policies --set DEFAULT
2. nmap -p 2224 {pcsd node} --script +ssl-enum-ciphers
3. update-crypto-policies --set FIPS
4. nmap -p 2224 {pcsd node} --script +ssl-enum-ciphers


Actual results:
TLS ciphers used by pcsd do not depend on the current crypto policy


Expected results:
TLS ciphers used by pcsd are set by the current crypto policy


Additional info:
nmap-7.91-12.el9 doesn't show TLSv1.3, use nmap-7.93-2.fc38


Proposed solution:
Make 'PROFILE=SYSTEM' the default for PCSD_SSL_CIPHERS