Bug 1388198 - smart_proxy_dynflow_core weak cipher
Summary: smart_proxy_dynflow_core weak cipher
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Remote Execution
Version: 6.2.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: Adam Ruzicka
QA Contact: Daniel Lobato Garcia
URL:
Whiteboard:
: 1473816 (view as bug list)
Depends On:
Blocks: 1545876 1548093
TreeView+ depends on / blocked
 
Reported: 2016-10-24 17:49 UTC by mike.beachler
Modified: 2023-09-07 18:47 UTC (History)
21 users (show)

Fixed In Version: foreman-installer-1.15.6.8-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1548093 (view as bug list)
Environment:
Last Closed: 2018-02-21 16:54:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 17078 0 Normal Closed smart_proxy_dynflow_core weak cipher 2020-07-15 04:39:51 UTC
Foreman Issue Tracker 19956 0 Normal Closed Installer should allow ssl_disabled_ciphers to be set for dynflow_core 2020-07-15 04:39:51 UTC

Description mike.beachler 2016-10-24 17:49:14 UTC 
Description of problem:Security scan detected a weak cipher within smart_proxy_dynflow_core service (port 8008)


Version-Release number of selected component (if applicable): 0.1.3-1.el7


How reproducible:
ALWAYS

Steps to Reproduce:
1. systemctl start smart_proxy_dynflow_core.service
2. nmap --script +ssl-enum-ciphers localhost -p 8008

Actual results:
# nmap --script +ssl-enum-ciphers localhost -p 8008

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-24 13:44 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (2000s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
8008/tcp open  http
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: weak

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds


Expected results:
|_  least strength: strong

Additional info:
Would be nice to control both the protocols and ciphers that are used.
Comment 1 Ivan Necas 2016-10-24 18:07:57 UTC 
Created redmine issue http://projects.theforeman.org/issues/17078 from this bug
Comment 2 Bryan Kearney 2016-10-24 20:20:23 UTC 
Upstream bug component is Tasks Plugin
Comment 3 Bryan Kearney 2016-10-25 12:20:30 UTC 
Upstream bug assigned to aruzicka
Comment 4 Bryan Kearney 2016-10-25 12:20:33 UTC 
Upstream bug component is Remote Execution
Comment 5 Bryan Kearney 2016-10-25 12:20:35 UTC 
Upstream bug assigned to aruzicka
Comment 7 Bryan Kearney 2016-11-22 15:20:34 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17078 has been resolved.
Comment 9 Sean O'Keeffe 2017-06-07 14:05:37 UTC 
Adding Foreman#19956 As it make the installer compatible.
Comment 10 Pablo Hess 2017-07-24 14:46:58 UTC 
*** Bug 1473816 has been marked as a duplicate of this bug. ***
Comment 11 Pablo Hess 2017-08-02 13:48:39 UTC 
While we're at it, in addition to making ciphers configurable, the cipher set enabled by default should be stronger. We have customers requesting stronger default ciphers on smart_proxy_dynflow_core.

If you tell me this belongs in an RFE instead of in this bz I'll gladly go and create an RFE.
Comment 12 Daniel Lobato Garcia 2017-08-09 09:35:40 UTC 
Verified:

Version tested:

satellite-6.3.0-16.0.beta.el7sat.noarch
tfm-rubygem-smart_proxy_dynflow_core-0.1.6-2.fm1_15.el7sat.noarch


[root@hp-ml370g6-01 ~]# nmap --script +ssl-enum-ciphers localhost -p 8008                                                               
                                                                                                                                        
Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-09 05:33 EDT                                                                          
Nmap scan report for localhost (127.0.0.1)                                                                                              
Host is up (660s latency).                                                                                                              
Other addresses for localhost (not scanned): 127.0.0.1                                                                                  
PORT     STATE SERVICE                                                                                                                  
8008/tcp open  http                                                                                                                     
| ssl-enum-ciphers:                                                                                                                     
|   TLSv1.1:                                                                                                                            
|     ciphers:                                                                                                                          
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong                                                                                           
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong                                                                                           
|     compressors:                                                                                                                      
|       NULL                                                                                                                            
|   TLSv1.2:                                                                                                                            
|     ciphers:                                                                                                                          
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong                                                                                           
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong                                                                                        
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong                                                                                        
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong                                                                                           
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong                                                                                        
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong                                                                                        
|     compressors:                                                                                                                      
|       NULL                                                                                                                            
|_  least strength: strong                                                                                                              
                                                                                                                                        
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Comment 25 Mike McCune 2018-01-30 17:20:29 UTC 
This bug required an additional PR upstream to fully disable weak ciphers and stick to TLS 1.2 only:

http://projects.theforeman.org/issues/22391

moving this bug back to POST
Comment 27 Satellite Program 2018-02-21 16:54:17 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336
Comment 29 Ivan Necas 2018-05-17 11:37:08 UTC 
I can confirm that the changes involved in this BZ are delivered as part of the 6.3.
Note You need to log in before you can comment on or make changes to this bug.