Description of problem:Security scan detected a weak cipher within smart_proxy_dynflow_core service (port 8008) Version-Release number of selected component (if applicable): 0.1.3-1.el7 How reproducible: ALWAYS Steps to Reproduce: 1. systemctl start smart_proxy_dynflow_core.service 2. nmap --script +ssl-enum-ciphers localhost -p 8008 Actual results: # nmap --script +ssl-enum-ciphers localhost -p 8008 Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-24 13:44 EDT Nmap scan report for localhost (127.0.0.1) Host is up (2000s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 8008/tcp open http | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL |_ least strength: weak Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds Expected results: |_ least strength: strong Additional info: Would be nice to control both the protocols and ciphers that are used.
Created redmine issue http://projects.theforeman.org/issues/17078 from this bug
Upstream bug component is Tasks Plugin
Upstream bug assigned to aruzicka
Upstream bug component is Remote Execution
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17078 has been resolved.
Adding Foreman#19956 As it make the installer compatible.
*** Bug 1473816 has been marked as a duplicate of this bug. ***
While we're at it, in addition to making ciphers configurable, the cipher set enabled by default should be stronger. We have customers requesting stronger default ciphers on smart_proxy_dynflow_core. If you tell me this belongs in an RFE instead of in this bz I'll gladly go and create an RFE.
Verified: Version tested: satellite-6.3.0-16.0.beta.el7sat.noarch tfm-rubygem-smart_proxy_dynflow_core-0.1.6-2.fm1_15.el7sat.noarch [root@hp-ml370g6-01 ~]# nmap --script +ssl-enum-ciphers localhost -p 8008 Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-09 05:33 EDT Nmap scan report for localhost (127.0.0.1) Host is up (660s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 8008/tcp open http | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
This bug required an additional PR upstream to fully disable weak ciphers and stick to TLS 1.2 only: http://projects.theforeman.org/issues/22391 moving this bug back to POST
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. > > For information on the advisory, and where to find the updated files, follow the link below. > > If the solution does not work for you, open a new bug report. > > https://access.redhat.com/errata/RHSA-2018:0336
I can confirm that the changes involved in this BZ are delivered as part of the 6.3.