Description of problem: Currently the foreman-proxy piece has hard coded SSL ciphers in the following file: /usr/share/foreman-proxy/lib/poodles-fix.rb In order for users to pass certain security audits some Ciphers need to be disabled and currently they only approach is to modify the code, remove the offending cipher, and restart foreman-proxy. This workaround does not survive rpm updates and needs to be moved to a configuration file
There's a PR for smart-proxy that modifies a few ssl-related settings and uses a hand-picked suite of ciphers, which is going to be merged really soon now (see https://github.com/theforeman/smart-proxy/pull/351/files#diff-ac854285ecb308ff8af7509333620b80R3 for the list of ciphers). These changes should be sufficient for majority of users. Configurable list of ciphers has been proposed too, but will probably be implemented in a separate PR.
any reason why ciphers is hard coded and not available from config file? +CIPHERS = 'RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA'
Hi Shannon, will the solution proposed by Dmitri address this request?
no, because the ciphers are still hard coded, +CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:AES128
Why is it so important to have the list of ciphers configurable? Do we actually want end-users fiddling with it (and troubleshoot misconfigured cipher suites)?
Created redmine issue http://projects.theforeman.org/issues/13747 from this bug
Upstream bug component is Capsule
Moving to POST since upstream bug http://projects.theforeman.org/issues/13747 has been closed ------------- Anonymous Applied in changeset commit:b73b71a982ce60bdc9ca194d47a4f80c972d661e.
FAILEDQA: the fix didn't seem to land in sat 6.2.0 Beta GA11.0. Can you verify this has been cherrypicked?
# rpm -qa foreman-proxy foreman-proxy-1.11.0.3-1.el6sat.noarch
Tested this with GA snap 12. The changes to the proxy itself are there. What is missing is the setting.yml changes, which seems to be because a related commit to the puppet module code was missed when cherry-picking. This commit needs to be cherry-picked for the puppet-foreman_proxy module: https://github.com/theforeman/puppet-foreman_proxy/commit/cbda993f92dc5fa37b0398f952c60ddb1ad09b94 Moving to post.
Verified as setting.yml now contains the boilerplate code for that option - https://gitlab.sat.lab.tlv.redhat.com/satellite6/puppet-foreman_proxy/commit/6993ea6c9eeff75f18ce2b1a0d5eecb63a446020 Setting them there would've worked before that commit too.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501