Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1371315

Summary: Allow restricting ciphers to TLS 1.2
Product: Red Hat Enterprise Linux 6 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: aakkiang, alee, cfu, cheimes, edewata, ftweedal, jmagne, mharmsen, mkosek, nkinder, rpattath
Target Milestone: rcKeywords: Reopened, TestOnly
Target Release: 6.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Per comment #5, this bug has been marked as TestOnly, and thus requires no documentation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 11:59:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1367026, 1403694    
Attachments:
Description Flags
test session and log output
none
testlog with TLS1.2
none
testlog with TLS1.2 none

Description Matthew Harmsen 2016-08-29 22:05:04 UTC 
From CS/DS meeting of 08/29/2016 - TLS 1.2 requirements

    Must allow for restricting ciphers to TLS 1.2.  This is something that
    should be tested by QE (and we need to document).

    mharmsen to file RHEL 6.9 pki-core BZ so QE can verify.

    Ask Christian to put details on configuration in the bug and set to MODIFIED.
Comment 2 Christian Heimes 2016-09-01 12:39:09 UTC 
I was able to restrict Dogtag to TLSv1.2 only by modifying /etc/pki-ca/server.xml and replacing every occurrence of sslVersionRangeStream="tls1_0:tls1_2" with sslVersionRangeStream="tls1_2:tls1_2":

# sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
# /sbin/service pki-cad restart pki-ca

(This also sets sslVersionRangeDatagram to tls1_2:tls1_2.)

I have verified cipher suites and TLS protocol version with sslscan, Firefox and curl. I have not checked if Dogtag is still able to connect to a LDAP server over TLSv1.2. There is no apparent reason that would prevent Dogtag from talking LDAPs TLSv1.2, though.
Comment 3 Christian Heimes 2016-09-01 12:39:51 UTC 
Created attachment 1196813 [details]
test session and log output
Comment 4 Matthew Harmsen 2016-11-14 19:36:18 UTC 
Per request from aakkiang: Moving to ON_QA
Comment 5 Martin Kosek 2016-11-15 14:33:46 UTC 
Given there was no code change and this change was added to enable IdM TLS 1.2 configuration tracked in Bug 1367026, marking as TestOnly bug.
Comment 6 Roshni 2016-11-29 16:04:14 UTC 
Created attachment 1225911 [details]
testlog with TLS1.2

I see the output in the attachment after enabling TLSv1.2. I have also included the server.xml in the attached file. When running sslscan using the secure port (9443) I do not see any of the ciphers being accepted before and after restricting the version to TLS1.2. The ca was installed as part of ipa-server-install.
Comment 7 Christian Heimes 2016-11-30 18:04:43 UTC 
Did you restart the server? I only see the sed and sslscan commands in your log. After a restart the server should no longer accept any connections with TLS 1.0 and 1.1.

From comment 2:

sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
/sbin/service pki-cad restart pki-ca
Comment 8 Roshni 2016-12-01 19:59:32 UTC 
Created attachment 1227008 [details]
testlog with TLS1.2

The attachment has the test results. I did ipa-server-install and ran sslscan on the secure and unsecure ports before and after restricting to TLS1.2. When performing sslscan on the secure port I see none of the ciphers are being accepted.
Comment 10 Roshni 2016-12-08 18:39:04 UTC 
[root@ipaqa64vmh ~]# rpm -q pki-ca
pki-ca-9.0.3-51.el6.noarch
[root@ipaqa64vmh ~]# rpm -qi pki-ca
Name        : pki-ca                       Relocations: (not relocatable)
Version     : 9.0.3                             Vendor: Red Hat, Inc.
Release     : 51.el6                        Build Date: Mon 05 Dec 2016 04:45:59 PM EST
Install Date: Thu 08 Dec 2016 08:17:19 AM EST      Build Host: x86-029.build.eng.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: pki-core-9.0.3-51.el6.src.rpm
Size        : 785389                           License: GPLv2
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority


Verification steps:

1. ipa-server-install
2. pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o ipacert.p12 -n ipaCert -W <password>
3. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers from TLS1.1 and TLS1.2
4. sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
5. /sbin/service pki-cad restart pki-ca
6. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers only from TLS1.2
Comment 12 errata-xmlrpc 2017-03-21 11:59:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0802.html