1303175 – Installation: allow customization of cipher list before actual installation

Bug 1303175 - Installation: allow customization of cipher list before actual installation

Summary: Installation: allow customization of cipher list before actual installation

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:	1373962
TreeView+	depends on / blocked

Reported:	2016-01-29 18:44 UTC by Matthew Harmsen
Modified:	2016-11-04 05:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit) Certificate System now supports setting SSL ciphers for individual installation Previously, if an existing Certificate Server had customized cipher set that did not overlap with the default ciphers used during the installation, a new instance could not be installed to work with existing instances. With this update, Certificate System enables you to customize the SSL cipher using a two-step installation, which avoids this problem. To set the ciphers during a Certificate System instance installation: 1. Prepare a deployment configuration file that includes the "pki_skip_configuration=True" option. 2. Pass the deployment configuration file to the "pkispawn" command to start the initial part of the installation. 3. Set the ciphers in the "sslRangeCiphers" option in the `/var/lib/pki/<instance>/conf/server.xml` file. 4. Replace the "pki_skip_configuration=True" option with "pki_skip_installation=True" in the deployment configuration file. 5. Run the same "pkispawn" command to complete the installation. Certificate System now supports setting SSL ciphers for individual installation Previously, if an existing Certificate Server had customized cipher set that did not overlap with the default ciphers used during the installation, a new instance could not be installed to work with existing instances. With this update, Certificate System enables you to customize the SSL cipher using a two-step installation, which avoids this problem. To set the ciphers during a Certificate System instance installation: 1. Prepare a deployment configuration file that includes the "pki_skip_configuration=True" option. 2. Pass the deployment configuration file to the "pkispawn" command to start the initial part of the installation. 3. Set the ciphers in the "sslRangeCiphers" option in the `/var/lib/pki/<instance>/conf/server.xml` file. 4. Replace the "pki_skip_configuration=True" option with "pki_skip_installation=True" in the deployment configuration file. 5. Run the same "pkispawn" command to complete the installation.
Clone Of:
Clones:	1373962 (view as bug list)
Environment:	(edit)
Last Closed:	2016-11-04 05:22:48 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2396	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Matthew Harmsen 2016-01-29 18:44:10 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/1644

Case being a site has customized its cipher lists (sslRangeCiphers) in server.xml throughout all CS instances.
new cipher list being a lot more stringent.

When installing new cs instance, the default ciphers does not overlap with the already-installed servers, including the Security Domain CA, hence making it not able to connect.
Workaround is to loosen the ciphers on the SD CA and possibly others required during installation; however, that is not ideal, as it requires making changes and restarting the affected servers and changing them back later.

It would make better sense to allow admin to customize the cipher list of the to-be-installed instance before the actual installation.

Comment 2 Matthew Harmsen 2016-06-10 15:50:51 UTC

fixed by edewata:

This can be done without adding new parameters: http://pki.fedoraproject.org/wiki/Custom_Installation#Customizing_TLS_cipher_list

Comment 4 Roshni 2016-09-06 17:51:31 UTC

[root@auto-hv-02-guest05 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 8.el7
Architecture: noarch
Install Date: Sun 04 Sep 2016 05:27:32 PM EDT
Group       : System Environment/Daemons
Size        : 2430595
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.3.3-8.el7.src.rpm
Build Date  : Tue 30 Aug 2016 03:23:27 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Followed http://pki.fedoraproject.org/wiki/Custom_Installation#Customizing_TLS_cipher_list to customize cipher list before CA configuration.

Comment 12 errata-xmlrpc 2016-11-04 05:22:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.