Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

It was found that openwsman-server might possibly use TripleDES encryption which would make it vulnerable against SWEET. 

Reference:

https://bugzilla.novell.com/show_bug.cgi?id=1034689

Upstream patches:

https://github.com/Openwsman/openwsman/commit/13b9432758ac772c5aac60d19cd9c7021fa1ea4c
https://github.com/Openwsman/openwsman/commit/0d586a3863a5a30ee0fa34545db99889bb7a4c39

A little note:

    ssl_cipher_list=

seems to behave differently than eg. `openssl ciphers ''`.  The latter would disable all ciphers, while the former just leaves the default settings (not calling  SSL_CTX_set_cipher_list() at all).

I've raised the question on openwsman-devel list (no reply yet).

    https://sourceforge.net/p/openwsman/mailman/openwsman-devel/?viewmonth=201802

Tested manually on x86_64.  (I have also created automated test, but it's failing for other reasons so I have not added it to suite yet.)

Turns out that there are multiple ciphers that openwsmand does not really enable, for example:

 *  all EC ciphers (bug 1547144),

 *  some SSLv3 ciphers (eg. ADH-DES-CBC3-SHA), despite sslv3 not being disabled
    by ssl_disable protocols, and openssl ciphers listing the cipher),

 *  probably some others (I haven't done exhaustive test).

Anyway, the main functionality has been implemented; most ciphers work and most importantly, 3DES can be disabled by eg. `ssl_cipher_list=DEFAULT:!3DES`.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0829