RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1371315 - Allow restricting ciphers to TLS 1.2
Summary: Allow restricting ciphers to TLS 1.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core
Version: 6.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 6.9
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1367026 1403694
TreeView+ depends on / blocked
 
Reported: 2016-08-29 22:05 UTC by Matthew Harmsen
Modified: 2017-03-21 11:59 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Per comment #5, this bug has been marked as TestOnly, and thus requires no documentation.
Clone Of:
Environment:
Last Closed: 2017-03-21 11:59:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
test session and log output (6.82 KB, text/plain)
2016-09-01 12:39 UTC, Christian Heimes 		no flags Details
testlog with TLS1.2 (87.34 KB, text/plain)
2016-11-29 16:04 UTC, Roshni 		no flags Details
testlog with TLS1.2 (141.37 KB, text/plain)
2016-12-01 19:59 UTC, Roshni 		no flags Details
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0802 0 normal SHIPPED_LIVE pki-core bug fix update 2017-03-21 12:51:24 UTC

Description Matthew Harmsen 2016-08-29 22:05:04 UTC 
From CS/DS meeting of 08/29/2016 - TLS 1.2 requirements

    Must allow for restricting ciphers to TLS 1.2.  This is something that
    should be tested by QE (and we need to document).

    mharmsen to file RHEL 6.9 pki-core BZ so QE can verify.

    Ask Christian to put details on configuration in the bug and set to MODIFIED.
Comment 2 Christian Heimes 2016-09-01 12:39:09 UTC 
I was able to restrict Dogtag to TLSv1.2 only by modifying /etc/pki-ca/server.xml and replacing every occurrence of sslVersionRangeStream="tls1_0:tls1_2" with sslVersionRangeStream="tls1_2:tls1_2":

# sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
# /sbin/service pki-cad restart pki-ca

(This also sets sslVersionRangeDatagram to tls1_2:tls1_2.)

I have verified cipher suites and TLS protocol version with sslscan, Firefox and curl. I have not checked if Dogtag is still able to connect to a LDAP server over TLSv1.2. There is no apparent reason that would prevent Dogtag from talking LDAPs TLSv1.2, though.
Comment 3 Christian Heimes 2016-09-01 12:39:51 UTC 
Created attachment 1196813 [details]
test session and log output
Comment 4 Matthew Harmsen 2016-11-14 19:36:18 UTC 
Per request from aakkiang: Moving to ON_QA
Comment 5 Martin Kosek 2016-11-15 14:33:46 UTC 
Given there was no code change and this change was added to enable IdM TLS 1.2 configuration tracked in Bug 1367026, marking as TestOnly bug.
Comment 6 Roshni 2016-11-29 16:04:14 UTC 
Created attachment 1225911 [details]
testlog with TLS1.2

I see the output in the attachment after enabling TLSv1.2. I have also included the server.xml in the attached file. When running sslscan using the secure port (9443) I do not see any of the ciphers being accepted before and after restricting the version to TLS1.2. The ca was installed as part of ipa-server-install.
Comment 7 Christian Heimes 2016-11-30 18:04:43 UTC 
Did you restart the server? I only see the sed and sslscan commands in your log. After a restart the server should no longer accept any connections with TLS 1.0 and 1.1.

From comment 2:

sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
/sbin/service pki-cad restart pki-ca
Comment 8 Roshni 2016-12-01 19:59:32 UTC 
Created attachment 1227008 [details]
testlog with TLS1.2

The attachment has the test results. I did ipa-server-install and ran sslscan on the secure and unsecure ports before and after restricting to TLS1.2. When performing sslscan on the secure port I see none of the ciphers are being accepted.
Comment 10 Roshni 2016-12-08 18:39:04 UTC 
[root@ipaqa64vmh ~]# rpm -q pki-ca
pki-ca-9.0.3-51.el6.noarch
[root@ipaqa64vmh ~]# rpm -qi pki-ca
Name        : pki-ca                       Relocations: (not relocatable)
Version     : 9.0.3                             Vendor: Red Hat, Inc.
Release     : 51.el6                        Build Date: Mon 05 Dec 2016 04:45:59 PM EST
Install Date: Thu 08 Dec 2016 08:17:19 AM EST      Build Host: x86-029.build.eng.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: pki-core-9.0.3-51.el6.src.rpm
Size        : 785389                           License: GPLv2
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority


Verification steps:

1. ipa-server-install
2. pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o ipacert.p12 -n ipaCert -W <password>
3. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers from TLS1.1 and TLS1.2
4. sed -i 's/tls1_[01]:tls1_2/tls1_2:tls1_2/g' /etc/pki-ca/server.xml
5. /sbin/service pki-cad restart pki-ca
6. sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9443 and sslscan --pk=ipacert.p12 --pkpass=<password> --ipv4 ipaqa64vmh.idmqe.lab.eng.bos.redhat.com:9444 should accept ciphers only from TLS1.2
Comment 12 errata-xmlrpc 2017-03-21 11:59:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0802.html
Note You need to log in before you can comment on or make changes to this bug.