1154687 – POODLE: force using safe ciphers (non-SSLv3) in IPA client and server

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1154687 - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server

Summary: POODLE: force using safe ciphers (non-SSLv3) in IPA client and server

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1146905 (view as bug list)
Depends On:	1153739 1154776 1166316 1171848
Blocks:	1057564 1156466
TreeView+	depends on / blocked

Reported:	2014-10-20 14:17 UTC by Andrew Dingman
Modified:	2015-07-22 07:38 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ipa-3.0.0-46.el6
Doc Type:	Bug Fix
Doc Text:	When IdM servers were configured to require the TLS protocol version 1.1 (TLSv1.1) or later in the httpd server, the ipa utility failed. With this update, running ipa works as expected with TLSv1.1 or later.
Clone Of:
Clones:	1156466 (view as bug list)
Environment:
Last Closed:	2015-07-22 07:38:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1462	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2015-07-21 14:14:52 UTC

Description Andrew Dingman 2014-10-20 14:17:40 UTC

Description of problem: When the IPA servers in an infrastructure are configured to require TLS 1.1 or higher in httpd, the 'ipa' command-line tool fails.


Version-Release number of selected component (if applicable): RHEL 6.5


How reproducible: Always


Steps to Reproduce:
1. Install IPA
2. Run "ipa user-show admin" to confirm functionality
3. Edit /etc/httpd/conf.d/nss.conf to require TLS 1.1 or 1.2 only
4. attempt "ipa user-show admin" or any other ipa subcommand.

Actual results: The ipa command fails to contact the servers


Expected results: The ipa command operates normally


Additional info: A testbed reproducer is being built in Amazon EC2. I'm happy to clone the testbed and share AMI with anyone working on the bug.

Comment 3 Andrew Dingman 2014-10-20 14:25:02 UTC

I added the link to 1057564 at hkario's request. I also believe this may be related to bug 1146905.

Comment 4 Rob Crittenden 2014-10-20 15:10:34 UTC

mod_nss upstream just added support for TLS 1.2 three days ago so I'm surprised you were even able to start Apache with this configured.

If you add -vv to ipa you'll get a more specific error. I'm seeing this against an upstream master build on Fedora 20:

$ ipa -vv user-show admin
<ship>
ipa: ERROR: cannot connect to 'https://ipa.example.comcom/ipa/json': (SSL_ERROR_PROTOCOL_VERSION_ALERT) Peer reports incompatible or unsupported protocol version.

So it appears the client isn't enabling TLS v1.1. I don't see the updated TLS range protocol in python-nss, SSL_VersionRangeSet, and I think that is the only way to enable > TLS 1.0 support in NSS.

Here is what ssltap spits out:

Connected to grindle.greyoak.com:443
Read EOF on Client socket. [Mon Oct 20 11:01:04 2014]
Read EOF on Server socket. [Mon Oct 20 11:01:04 2014]
Connection 6 Complete [Mon Oct 20 11:01:04 2014]
Connection #7 [Mon Oct 20 11:05:33 2014]
Connected to grindle.greyoak.com:443
--> [
(105 bytes of 100)
SSLRecord { [Mon Oct 20 11:05:33 2014]
   0: 16 03 01 00  64                                     | ....d
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 100 (0x64)
   handshake {
   0: 01 00 00 60                                         | ...`
      type = 1 (client_hello)
      length = 96 (0x000060)
         ClientHelloV3 {
            client_version = {3, 1}
            random = {...}
   0: 3f 58 98 2c  ad b2 c3 16  41 c0 84 f2  53 98 77 a6  | ?X.,....A...S.w.
  10: ed 66 b1 3f  12 4e db d6  76 f0 4b 40  cc 59 08 50  | .f.?.N..v.K@.Y.P
            session ID = {
                length = 0
                contents = {...}
            }
            cipher_suites[11] = {
                (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x002f) TLS/RSA/AES128-CBC/SHA
                (0x0035) TLS/RSA/AES256-CBC/SHA
                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x0005) SSL3/RSA/RC4-128/SHA
                (0x0004) SSL3/RSA/RC4-128/MD5
            }
            compression[1] = {
                (00) NULL
            }
            extensions[33] = {
              extension type server_name, length [24] = {
   0: 00 16 00 00  13 67 72 69  6e 64 6c 65  2e 67 72 65  | .....grindle.gre
  10: 79 6f 61 6b  2e 63 6f 6d                            | yoak.com
              }
              extension type renegotiation_info, length [1] = {
   0: 00                                                  | .
              }
            }
         }
   }
}
]
<-- [
(7 bytes of 2)
SSLRecord { [Mon Oct 20 11:05:33 2014]
   0: 15 03 02 00  02                                     | .....
   type    = 21 (alert)
   version = { 3,2 }
   length  = 2 (0x2)
   fatal: protocol_version
   0: 02 46                                               | .F
}
]
Read EOF on Server socket. [Mon Oct 20 11:05:33 2014]
Read EOF on Client socket. [Mon Oct 20 11:05:33 2014]
Connection 7 Complete [Mon Oct 20 11:05:33 2014]

Comment 5 John Dennis 2014-10-20 16:40:33 UTC

python-nss does not have support for the SSL_VersionRange* methods which appeared in NSS Version 3.14. 

I will update python-nss with support for SSL_VersionRange.

Comment 6 Andrew Dingman 2014-10-20 17:19:59 UTC

With "NSSProtocol TLSv1.1,TLSv1.2" on a set of RHEL 6.5 IPA servers, we were able to start the service, obtain Kerberos credentials, and open the web interface from Firefox on Fedora 20. I didn't check what TLS protocol version was actually negotiated, so it's entirely possible that TLSv1.2 was not in fact available. Since then, the same servers have been running with "NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2" and we have not observed any loss of functionality. This was on Friday 2014-10-17.

Comment 7 Rob Crittenden 2014-10-20 17:51:44 UTC

It appears that mod_nss ignores protocols it doesn't know as long as at least one is enabled:

[Mon Oct 20 13:49:30.094365 2014] [:warn] [pid 13698] NSSProtocol:  Unknown protocol 'tlsv1.2' not supported

With TLSv1.0 enabled the command-line client should function ok.

Comment 8 Martin Kosek 2014-10-20 18:00:36 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4653

Comment 9 John Dennis 2014-10-22 17:24:11 UTC

Please see bug #1154776. A scratch build of python-nss-0.16.0 is available which includes support for the SSL version range API.

Comment 10 Martin Kosek 2014-10-24 14:20:00 UTC

The fix should also contain any other POODLE fix.

Comment 11 John Dennis 2014-10-27 14:58:55 UTC

Please see bug #1154776. Rob asked for some additional features which were added, they are described in bug #1154776 as well as where to find a scratch build and SRPM.

Please test and report, if all looks good I'll cut a Mozilla release for python-nss 0.16.0 and then produce RPM's from that.

Comment 12 Martin Kosek 2014-11-21 09:44:41 UTC

*** Bug 1146905 has been marked as a duplicate of this bug. ***

Comment 13 Martin Kosek 2014-12-15 11:56:32 UTC

Removing RHEL-7 bug as dependency.

Comment 15 Stanislav Zidek 2015-03-27 14:49:40 UTC

There is an inconsistency in behaviour introduced by fixing this bug.

On RHEL-7.1, ipa-python-4.1.0-18.el7.x86_64, utilities like "ipa ping" support ssl protocol range (tls1.0, tls1.2), which is configured in /usr/lib/python2.7/site-packages/ipalib/constants.py.

Same configuration is on RHEL-6.7, but the protocol version range defaults to (tls1.1, tls1.2). Actually, values from constants.py are completely ignored due to the way the connection is established:

        (major, minor, micro, releaselevel, serial) = sys.version_info
        if major == 2 and minor < 7:
            conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
        else:
            conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
                                 tls_version_min=api.env.tls_version_min,
                                 tls_version_max=api.env.tls_version_max)

Since there is python version 2.6, the connection is created by NSSHTTPS, which does not take api.env.tls_version* values into account.

Comment 17 Kaleem 2015-05-13 12:45:31 UTC

Verified.

IPA version:
============
ipa-server-3.0.0-46.el6.x86_64


Snip from automation log:
=========================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipaserverinstall_bz1154687: check IPA server uses safe ciphers now
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Installing IPA Server (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo xxxxxxxx|kinit admin' (Expected 0, got 0)
:: [   PASS   ] :: Changing NSS Protocol to TLS1.2 (Expected 0, got 0)
:: [   PASS   ] :: Command 'service ipa restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ipa user-show admin' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 2 | openssl s_client -connect 127.0.0.1:443 > /tmp/bz1154687.txt 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: Command 'cat /tmp/bz1154687.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1154687.txt' should contain 'Protocol  : TLSv1.2' 
:: [   PASS   ] :: Changing NSS Protocol to TLS1.1 (Expected 0, got 0)
:: [   PASS   ] :: Command 'service ipa restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ipa user-show admin' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 2 | openssl s_client -connect 127.0.0.1:443 > /tmp/bz1154687.txt 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: Command 'cat /tmp/bz1154687.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1154687.txt' should contain 'Protocol  : TLSv1.1' 
:: [   PASS   ] :: Changing NSS Protocol to TLS1.0 (Expected 0, got 0)
:: [   PASS   ] :: Command 'service ipa restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ipa user-show admin' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 2 | openssl s_client -connect 127.0.0.1:443 > /tmp/bz1154687.txt 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: Command 'cat /tmp/bz1154687.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1154687.txt' should contain 'Protocol  : TLSv1' 
:: [   PASS   ] :: Changing NSS Protocol to SSLv3 (Expected 0, got 0)
:: [   PASS   ] :: Command 'service ipa restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ipa user-show admin > /tmp/bz1154687.txt 2>&1' (Expected 1, got 1)
:: [   PASS   ] :: Command 'cat /tmp/bz1154687.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1154687.txt' should contain '(SSL_ERROR_UNSUPPORTED_VERSION) Peer using unsupported version of security protocol.' 
:: [   PASS   ] :: Command 'sleep 2 | openssl s_client -connect 127.0.0.1:443 > /tmp/bz1154687.txt 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: Command 'cat /tmp/bz1154687.txt' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/bz1154687.txt' should contain 'Protocol  : SSLv3' 
:: [   PASS   ] :: Restoring NSS Protocol to state before test (Expected 0, got 0)
:: [   PASS   ] :: Command 'service ipa restart' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14m 29s
:: [   LOG    ] :: Assertions: 30 good, 0 bad
:: [   PASS   ] :: RESULT: ipaserverinstall_bz1154687: check IPA server uses safe ciphers now

Comment 19 errata-xmlrpc 2015-07-22 07:38:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1462.html

Note You need to log in before you can comment on or make changes to this bug.