Description of problem: SSLv3 is vulnerable to the POODLE vulnerability announced in CVE-2014-3566[0]. Pulp's bindings are configured to use SSLv3 explicitly. These bindings are used by Nodes, pulp-admin, and pulp-consumer, among a few other things. Version-Release number of selected component (if applicable): 2.4.0-1 How reproducible: Every time. Steps to Reproduce: 1. Edit /etc/httpd/conf.d/ssl.conf. 2. Configure this line like this: SSLProtocol all -SSLv2 -SSLv3 3. Try to use pulp-admin to do something with pulp, like login Actual results: [rbarlow@tangerine pulp]$ pulp-admin login -u admin Enter password: An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/admin.log. [rbarlow@tangerine pulp]$ tail -n 10 ~/.pulp/admin.log result = self.context.server.actions.login(username, password).response_body File "/home/rbarlow/devel/pulp/bindings/pulp/bindings/actions.py", line 32, in login return self.server.POST(path) File "/home/rbarlow/devel/pulp/bindings/pulp/bindings/server.py", line 99, in POST return self._request('POST', path, body=body, ensure_encoding=ensure_encoding) File "/home/rbarlow/devel/pulp/bindings/pulp/bindings/server.py", line 143, in _request response_code, response_body = self.server_wrapper.request(method, url, body) File "/home/rbarlow/devel/pulp/bindings/pulp/bindings/server.py", line 327, in request raise exceptions.ConnectionException(None, str(err), None) ConnectionException: (None, 'sslv3 alert handshake failure', None) Expected results: pulp-admin should work when Apache is configured to only do TLS. Additional info: [0] https://access.redhat.com/articles/1232123
I have learned some more information. M2Crypto is only capable of these protocols: SSLv2, SSLv3, and TLSv1.0. TLSv1.0 is known to be vulnerable to a few attacks as well, such as the BEAST attack[0]. I'm currently researching how unsafe TLSv1.0 would be for Pulp's use case before making a decision, but at this point I am leaning towards looking for a different library than M2Crypto so that we can use TLSv1.1 and 1.2. [0] https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
Another tidbit: It turns out that if you configure the M2Crypto.SSL.Context with "sslv23", that apparently means "Do any protocol, including TLS 1.1/1.2". :/ This might be an option for us, but this would also require the server to be configured for TLS 1.1/1.2. Ideally, we would refuse to connect to any server that is not willing to do TLS >= v1.1. I'm still looking into whether M2 can be configured to do that.
(In reply to Randy Barlow from comment #2) > It turns out that if you configure the M2Crypto.SSL.Context with "sslv23", > that apparently means "Do any protocol, including TLS 1.1/1.2". :/ That's OpenSSL shenanigan really, likely for historical reasons, pre-dating TLS. You often want to use SSLv23_*method to enable all versions supported by given OpenSSL versions (until Poodle, that usually was SSL3 + TLS1 for older OpenSSL, and more recently TLS 1.0 - 1.2). This needs to be combined with SSL_*set_options to SSL_OP_NO_SSLv2 and now also SSL_OP_NO_SSLv3. https://www.openssl.org/docs/ssl/SSL_CTX_new.html The problem with TLSv1_*method, TLSv1_1_*method and TLSv1_2_*method is they only enable specific TLS version, rather than e.g. all TLS 1.x as mentioned above. I believe M2Crypto has something that directly maps to the underlying OpenSSL API. Note that if you use SSLv23, your app should automatically use up to TLS 1.0 on RHEL-5 and RHEL-6 before 6.5, and TLS 1.2 on RHEL 6.5 and later. I.e. all versions supported by the underlying OpenSSL.
Thanks Tomas, To amend my previous comment, M2Crypto in RHEL 5 is only capable of those protocols. M2Crypto in newer versions is capable of TLSv1.1 and TLSv1.2 as you pointed out. Due to the "shenanigans" of openssl, we had configured M2Crypto to only be willing to do sslv3. This PR fixes that issue: https://github.com/pulp/pulp/pull/1245 As for TLSv1.0, I believe that Pulp is not vulnerable to BEAST because we do not allow code injection via our bindings.
The pull request is ready for review: https://github.com/pulp/pulp/pull/1245/
The build is in progress. In order to test this, you can configure Apache to only do SSLv2 and SSLv3 by editing /etc/httpd/conf.d/ssl.conf. Set this: SSLProtocol SSLv2 SSLv3 pulp-admin and Nodes and pulp-consumer should all refuse to connect with Apache configured this way. This will verify that Pulp is not willing to do SSLv2 or SSLv3. Then set it like this: SSLProtocol all -SSLv2 -SSLv3 Now everything in Pulp should work just fine. This will verify that Pulp can do TLS >= v1.0. Be sure to test EL5 through EL7 and F19/20, to make sure we haven't broken anything on any of the supported platforms.
Something strange happened when I squashed my branch and that pull request shows no commits. Here is the commit that fixes this issue: https://github.com/pulp/pulp/commit/b5b2586c7323987fcac410b8358f602ed645408f
Fixed in pulp-2.4.3-0.1.beta.
[root@cloud-qe-3 ~]# cat /etc/redhat-release Fedora release 19 (Schrödinger’s Cat) [root@cloud-qe-3 ~]# [root@cloud-qe-3 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol #SSLProtocol all -SSLv2 -SSLv3 SSLProtocol SSLv3 [root@cloud-qe-3 ~]# [root@cloud-qe-3 ~]# [root@cloud-qe-3 ~]# pulp-admin repo list +----------------------------------------------------------------------+ Repositories +----------------------------------------------------------------------+ An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/admin.log. [root@cloud-qe-3 ~]# pulp-consumer register --consumer-id f19-consumer An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@cloud-qe-3 ~]# [root@cloud-qe-3 ~]# systemctl restart httpd [root@cloud-qe-3 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol SSLProtocol all -SSLv2 -SSLv3 #SSLProtocol SSLv3 [root@cloud-qe-3 ~]# [root@cloud-qe-3 ~]# pulp-consumer register --consumer-id f19-consumer Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. [root@cloud-qe-3 ~]# [root@cloud-qe-3 ~]# pulp-admin repo list +----------------------------------------------------------------------+ Repositories +----------------------------------------------------------------------+ [root@cloud-qe-3 ~]# [root@cloud-qe-4 ~]# cat /etc/redhat-release Fedora release 20 (Heisenbug) [root@cloud-qe-4 ~]# [root@cloud-qe-4 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol SSLProtocol SSLv3 [root@cloud-qe-4 ~]# [root@cloud-qe-4 ~]# [root@cloud-qe-4 ~]# pulp-admin login -u admin -p admin An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/admin.log. [root@cloud-qe-4 ~]# pulp-consumer register --consumer-id pulp-f20 An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@cloud-qe-4 ~]# [root@cloud-qe-4 ~]# pulp-admin login -u admin -p admin Successfully logged in. Session certificate will expire at Oct 24 19:25:05 2014 GMT. [root@cloud-qe-4 ~]# vi /etc/pulp/consumer/consumer.conf [root@cloud-qe-4 ~]# [root@cloud-qe-4 ~]# pulp-consumer register --consumer-id pulp-f20 Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. [root@cloud-qe-4 ~]#
[root@cloud-qe-22 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) [root@cloud-qe-22 ~]# [root@cloud-qe-22 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol SSLProtocol SSLv2 SSLv3 #SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-22 ~]# pulp-admin login -u admin -p admin An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/admin.log. [root@cloud-qe-22 ~]# pulp-consumer register --consumer-id rhel6-client An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@cloud-qe-22 ~]# [root@cloud-qe-22 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol #SSLProtocol SSLv2 SSLv3 SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-22 ~]# pulp-admin login -u admin -p admin Successfully logged in. Session certificate will expire at Oct 24 19:50:37 2014 GMT. [root@cloud-qe-22 ~]# pulp-consumer register --consumer-id rhel6-client Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. [root@cloud-qe-22 ~]#
[root@cloud-qe-1-vm-1 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol SSLProtocol SSLv3 #SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-1-vm-1 ~]# [root@cloud-qe-1-vm-1 ~]# [root@cloud-qe-1-vm-1 ~]# pulp-admin login -u admin -p admin An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/admin.log. [root@cloud-qe-1-vm-1 ~]# pulp-consumer register --consumer-id rhel7-pulp An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@cloud-qe-1-vm-1 ~]# cat /etc/httpd/conf.d/ssl.conf |grep SSLProtocol #SSLProtocol SSLv3 SSLProtocol all -SSLv2 -SSLv3 [root@cloud-qe-1-vm-1 ~]# pulp-admin login -u admin -p admin Successfully logged in. Session certificate will expire at Oct 24 20:39:50 2014 GMT. [root@cloud-qe-1-vm-1 ~]# pulp-consumer register --consumer-id rhel7-pulp Authentication Failed A valid Pulp user is required to register a new consumer. Please double check the username and password and attempt the request again. [root@cloud-qe-1-vm-1 ~]# pulp-consumer -u admin -p admin register --consumer-id rhel7-pulp Consumer [rhel7-pulp] successfully registered [root@cloud-qe-1-vm-1 ~]#
[root@rhlel5-pulp24 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.10 (Tikanga) [root@rhlel5-pulp24 ~]# [root@rhlel5-pulp24 ~]# pulp-consumer -u admin -p admin register --consumer-id rhel5-client An error occurred attempting to contact the server. More information can be found in the client log file ~/.pulp/consumer.log. [root@rhlel5-pulp24 ~]# pulp-consumer -u admin -p admin register --consumer-id rhel5-client Consumer [rhel5-client] successfully registered [root@rhlel5-pulp24 ~]#
verified node is working as well.
This has been fixed with the 2.4.3-1 release.