Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1282514

Summary: webrick needs option to change SSL ciphers via configuration vs hard coded values
Product: Red Hat Satellite Reporter: Shannon Hughes <shughes>
Component: Foreman ProxyAssignee: Tomer Brisker <tbrisker>
Status: CLOSED ERRATA QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.1.0CC: bbuckingham, bkearney, clocklea, dlobatog, dmitri, ehelms, klamb, oshtaier, pmutha, rplevka, sauchter, shughes, sthirugn, tbrisker, xdmoon
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
URL: http://projects.theforeman.org/issues/13747
Whiteboard:
Fixed In Version: foreman-proxy-1.11.0.3-1,foreman-installer-1.11.0.8-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 11:15:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shannon Hughes 2015-11-16 16:17:44 UTC 
Description of problem:

Currently the foreman-proxy piece has hard coded SSL ciphers in the following file: 

/usr/share/foreman-proxy/lib/poodles-fix.rb

In order for users to pass certain security audits some Ciphers need to be disabled and currently they only approach is to modify the code, remove the offending cipher, and restart foreman-proxy. This workaround does not survive rpm updates and needs to be moved to a configuration file
Comment 3 Dmitri Dolguikh 2015-12-07 10:37:46 UTC 
There's a PR for smart-proxy that modifies a few ssl-related settings and uses a hand-picked suite of ciphers, which is going to be merged really soon now (see https://github.com/theforeman/smart-proxy/pull/351/files#diff-ac854285ecb308ff8af7509333620b80R3 for the list of ciphers). These changes should be sufficient for majority of users. Configurable list of ciphers has been proposed too, but will probably be implemented in a separate PR.
Comment 4 Shannon Hughes 2015-12-07 22:57:07 UTC 
any reason why ciphers is hard coded and not available from config file? 

+CIPHERS = 'RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA'
Comment 5 Brad Buckingham 2015-12-11 16:36:16 UTC 
Hi Shannon, will the solution proposed by Dmitri address this request?
Comment 6 Shannon Hughes 2016-01-04 18:07:37 UTC 
no, because the ciphers are still hard coded, 

+CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:AES128
Comment 7 Dmitri Dolguikh 2016-01-05 09:55:52 UTC 
Why is it so important to have the list of ciphers configurable? Do we actually want end-users fiddling with it (and troubleshoot misconfigured cipher suites)?
Comment 10 Tomer Brisker 2016-02-17 06:33:46 UTC 
Created redmine issue http://projects.theforeman.org/issues/13747 from this bug
Comment 11 Bryan Kearney 2016-02-17 07:11:11 UTC 
Upstream bug component is Capsule
Comment 13 Bryan Kearney 2016-04-12 12:12:07 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/13747 has been closed
-------------
Anonymous
Applied in changeset commit:b73b71a982ce60bdc9ca194d47a4f80c972d661e.
Comment 14 Roman Plevka 2016-05-16 12:16:49 UTC 
FAILEDQA:

the fix didn't seem to land in sat 6.2.0 Beta GA11.0.

Can you verify this has been cherrypicked?
Comment 15 Roman Plevka 2016-05-16 12:17:29 UTC 
# rpm -qa foreman-proxy
foreman-proxy-1.11.0.3-1.el6sat.noarch
Comment 17 Tomer Brisker 2016-05-19 07:37:34 UTC 
Tested this with GA snap 12. The changes to the proxy itself are there.
What is missing is the setting.yml changes, which seems to be because a related commit to the puppet module code was missed when cherry-picking.
This commit needs to be cherry-picked for the puppet-foreman_proxy module: https://github.com/theforeman/puppet-foreman_proxy/commit/cbda993f92dc5fa37b0398f952c60ddb1ad09b94
Moving to post.
Comment 18 Daniel Lobato Garcia 2016-05-27 15:03:42 UTC 
Verified as setting.yml now contains the boilerplate code for that option - https://gitlab.sat.lab.tlv.redhat.com/satellite6/puppet-foreman_proxy/commit/6993ea6c9eeff75f18ce2b1a0d5eecb63a446020 

Setting them there would've worked before that commit too.
Comment 19 Bryan Kearney 2016-07-27 11:15:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501