1371315 – Allow restricting ciphers to TLS 1.2

Bug 1371315 - Allow restricting ciphers to TLS 1.2

Summary: Allow restricting ciphers to TLS 1.2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	6.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	6.9
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1367026 1403694
TreeView+	depends on / blocked

Reported:	2016-08-29 22:05 UTC by Matthew Harmsen
Modified:	2017-03-21 11:59 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	Per comment #5, this bug has been marked as TestOnly, and thus requires no documentation.
Clone Of:
Environment:
Last Closed:	2017-03-21 11:59:22 UTC
Target Upstream Version:

Attachments	(Terms of Use)
test session and log output (6.82 KB, text/plain) 2016-09-01 12:39 UTC, Christian Heimes	no flags	Details
testlog with TLS1.2 (87.34 KB, text/plain) 2016-11-29 16:04 UTC, Roshni	no flags	Details
testlog with TLS1.2 (141.37 KB, text/plain) 2016-12-01 19:59 UTC, Roshni	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0802	0	normal	SHIPPED_LIVE	pki-core bug fix update	2017-03-21 12:51:24 UTC

Description Matthew Harmsen 2016-08-29 22:05:04 UTC

From CS/DS meeting of 08/29/2016 - TLS 1.2 requirements

    Must allow for restricting ciphers to TLS 1.2.  This is something that
    should be tested by QE (and we need to document).

    mharmsen to file RHEL 6.9 pki-core BZ so QE can verify.

    Ask Christian to put details on configuration in the bug and set to MODIFIED.

Comment 2 Christian Heimes 2016-09-01 12:39:09 UTC

I was able to restrict Dogtag to TLSv1.2 only by modifying /etc/pki-ca/server.xml and replacing every occurrence of sslVersionRangeStream="tls1_0:tls1_2" with sslVersionRangeStream="tls1_2:tls1_2":

# sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
# /sbin/service pki-cad restart pki-ca

(This also sets sslVersionRangeDatagram to tls1_2:tls1_2.)

I have verified cipher suites and TLS protocol version with sslscan, Firefox and curl. I have not checked if Dogtag is still able to connect to a LDAP server over TLSv1.2. There is no apparent reason that would prevent Dogtag from talking LDAPs TLSv1.2, though.

Comment 3 Christian Heimes 2016-09-01 12:39:51 UTC

Created attachment 1196813 [details]
test session and log output

Comment 4 Matthew Harmsen 2016-11-14 19:36:18 UTC

Per request from aakkiang: Moving to ON_QA

Comment 5 Martin Kosek 2016-11-15 14:33:46 UTC

Given there was no code change and this change was added to enable IdM TLS 1.2 configuration tracked in Bug 1367026, marking as TestOnly bug.

Comment 6 Roshni 2016-11-29 16:04:14 UTC

Created attachment 1225911 [details]
testlog with TLS1.2

I see the output in the attachment after enabling TLSv1.2. I have also included the server.xml in the attached file. When running sslscan using the secure port (9443) I do not see any of the ciphers being accepted before and after restricting the version to TLS1.2. The ca was installed as part of ipa-server-install.

Comment 7 Christian Heimes 2016-11-30 18:04:43 UTC

Did you restart the server? I only see the sed and sslscan commands in your log. After a restart the server should no longer accept any connections with TLS 1.0 and 1.1.

From comment 2:

sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
/sbin/service pki-cad restart pki-ca

Comment 8 Roshni 2016-12-01 19:59:32 UTC

Created attachment 1227008 [details]
testlog with TLS1.2

The attachment has the test results. I did ipa-server-install and ran sslscan on the secure and unsecure ports before and after restricting to TLS1.2. When performing sslscan on the secure port I see none of the ciphers are being accepted.

Comment 10 Roshni 2016-12-08 18:39:04 UTC

[root@ipaqa64vmh ~]# rpm -q pki-ca
pki-ca-9.0.3-51.el6.noarch
[root@ipaqa64vmh ~]# rpm -qi pki-ca
Name        : pki-ca                       Relocations: (not relocatable)
Version     : 9.0.3                             Vendor: Red Hat, Inc.
Release     : 51.el6                        Build Date: Mon 05 Dec 2016 04:45:59 PM EST
Install Date: Thu 08 Dec 2016 08:17:19 AM EST      Build Host: x86-029.build.eng.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: pki-core-9.0.3-51.el6.src.rpm
Size        : 785389                           License: GPLv2
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority


Verification steps:

1. ipa-server-install
2. pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o ipacert.p12 -n ipaCert -W <password>
3. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers from TLS1.1 and TLS1.2
4. sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
5. /sbin/service pki-cad restart pki-ca
6. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers only from TLS1.2

Comment 12 errata-xmlrpc 2017-03-21 11:59:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0802.html

Note You need to log in before you can comment on or make changes to this bug.