Bug 1305779 - Weak ciphers and sslv3 on satellite
Weak ciphers and sslv3 on satellite
Status: CLOSED DUPLICATE of bug 1153826
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security (Show other bugs)
6.1.5
Unspecified Unspecified
unspecified Severity unspecified (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
Katello QA List
: Security
Depends On:
Blocks: 1432305 sat6-poodle 1305938
  Show dependency treegraph
 
Reported: 2016-02-09 03:51 EST by Abel Lopez
Modified: 2017-03-15 10:20 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-27 08:15:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Abel Lopez 2016-02-09 03:51:13 EST
Description of problem:
default httpd configs support SSLv3, which causes satellite to get flagged by security auditors checking for SSLv3 POODLE

Version-Release number of selected component (if applicable):
6.1.5

How reproducible:
Every time

Steps to Reproduce:
1. Install satellite
2. use any generic SSL checker
3.

Actual results:
red flag for potentially being vulnerable for having SSLv3, weak ciphers

Expected results:
Should be more secure

Additional info:
Had to edit /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf.d/25-puppet.conf
Comment 1 Kurt Seifried 2016-02-09 11:18:29 EST
This is Kurt from Product Security, just to let you know we're keeping an eye on this and I'll be talking to the Satellite 6 people about it. Thanks for reporting this!
Comment 2 Kurt Seifried 2016-02-09 13:03:21 EST
So for securing the SSL/TLS config a good resource is:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

For Apache 2.4/OpenSSL 1.0.1e (RHEL7)

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on
Comment 3 Kurt Seifried 2016-04-14 12:16:22 EDT
docs on most of our ssl/tls services and how to configure them:

https://access.redhat.com/articles/1462183
Comment 4 Tomer Brisker 2016-06-27 08:15:34 EDT

*** This bug has been marked as a duplicate of bug 1153826 ***

Note You need to log in before you can comment on or make changes to this bug.