Bug 1388198
| Summary: | smart_proxy_dynflow_core weak cipher | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | mike.beachler | |
| Component: | Remote Execution | Assignee: | Adam Ruzicka <aruzicka> | |
| Status: | CLOSED ERRATA | QA Contact: | Daniel Lobato Garcia <dlobatog> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.2.2 | CC: | adprice, ajoseph, anazmy, bbuckingham, dlobatog, ehelms, hshukla, inecas, jcallaha, linux, lpramuk, mirko.schmidt, mmccune, mmithaiw, nitthoma, oshtaier, phess, pmutha, sokeeffe, sraut, xdmoon | |
| Target Milestone: | Unspecified | Keywords: | PrioBumpGSS, Triaged | |
| Target Release: | Unused | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | foreman-installer-1.15.6.8-1 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1548093 (view as bug list) | Environment: | ||
| Last Closed: | 2018-02-21 16:54:17 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1545876, 1548093 | |||
|
Description
mike.beachler
2016-10-24 17:49:14 UTC
Created redmine issue http://projects.theforeman.org/issues/17078 from this bug Upstream bug component is Tasks Plugin Upstream bug assigned to aruzicka Upstream bug component is Remote Execution Upstream bug assigned to aruzicka Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17078 has been resolved. Adding Foreman#19956 As it make the installer compatible. *** Bug 1473816 has been marked as a duplicate of this bug. *** While we're at it, in addition to making ciphers configurable, the cipher set enabled by default should be stronger. We have customers requesting stronger default ciphers on smart_proxy_dynflow_core. If you tell me this belongs in an RFE instead of in this bz I'll gladly go and create an RFE. Verified:
Version tested:
satellite-6.3.0-16.0.beta.el7sat.noarch
tfm-rubygem-smart_proxy_dynflow_core-0.1.6-2.fm1_15.el7sat.noarch
[root@hp-ml370g6-01 ~]# nmap --script +ssl-enum-ciphers localhost -p 8008
Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-09 05:33 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (660s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
8008/tcp open http
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
This bug required an additional PR upstream to fully disable weak ciphers and stick to TLS 1.2 only: http://projects.theforeman.org/issues/22391 moving this bug back to POST Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
>
> For information on the advisory, and where to find the updated files, follow the link below.
>
> If the solution does not work for you, open a new bug report.
>
> https://access.redhat.com/errata/RHSA-2018:0336
I can confirm that the changes involved in this BZ are delivered as part of the 6.3. |