Bug 1463602 - Capsule 05-pulp-https.conf ssl protocols does not disable sslv3 triggering RedHat Insights Action
Capsule 05-pulp-https.conf ssl protocols does not disable sslv3 triggering Re...
Status: VERIFIED
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.2.9
Unspecified Unspecified
unspecified Severity high (vote)
: Beta
: --
Assigned To: satellite6-bugs
Radovan Drazny
: Triaged
Depends On:
Blocks: 1122832
  Show dependency treegraph
 
Reported: 2017-06-21 05:56 EDT by Peter Vreman
Modified: 2017-10-12 10:36 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Vreman 2017-06-21 05:56:54 EDT
Description of problem:
The Capsule configuration triggers an RedHat Insights Action "Man-in-the-middle attack exposed via httpd when using SSLv3" aka POODLE

The /etc/httpd/conf.d/05-pulp-https.conf cofniguration file does not disable the SSLv3:

[crash/LI] root@li-lc-1589:~# grep -R SSLProto /etc/httpd/
/etc/httpd/conf.d/05-pulp-https.conf:  SSLProtocol              all -SSLv2
/etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             ALL -SSLv2 -SSLv3
/etc/httpd/conf.modules.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Register Capsule to RedHat Insights
2. Check Actions for Capsule hosts
3.

Actual results:
Open Insights Security Actions for the Capsule


Expected results:
RedHat Insights shows no Actions


Additional info:
Comment 1 Ewoud Kohl van Wijngaarden 2017-09-04 10:51:48 EDT
Upstream this was fixed in https://github.com/Katello/puppet-pulp/commit/145cfadc0b53204514938f839e116778084e5311 and released as puppet-pulp 3.5.0. It wasn't part of the original katello 3.2 which shipped puppet-pulp 3.4.0
Comment 3 Ewoud Kohl van Wijngaarden 2017-09-05 05:32:25 EDT
This should already be in sat 6.3.
Comment 5 Peter Vreman 2017-09-05 10:50:17 EDT
Can you update the target milestone to match it will be included?
Comment 6 Marek Hulan 2017-09-05 10:55:44 EDT
Peter, it's not yet clear in what version this will land in. Right now the plan is to deliver it in future Satellite 6.3 release.
Comment 7 Radovan Drazny 2017-10-12 10:36:18 EDT
Verified on Satellite 6.3 Snap 19. As there currently is no easy way for Satellite 6.3 installed from scratch to register to RHAI, I have installed a Sat 6.2 server, registered it to prod, and then upgraded to Satellite 6.3. 

RHAI for Sat 6.2 Capsule server shows action as described in the initial report.
After upgrade and refresh of RHAI data, there is no action for the Sat 6.3 Capsule server required.

On the Capsule server SSLv3 is disabled:

$ grep -R SSLProto /etc/httpd/
/etc/httpd/conf.d/05-pulp-https.conf:  SSLProtocol             all -SSLv2 -SSLv3
/etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             ALL -SSLv2 -SSLv3
/etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3

VERIFIED

Note You need to log in before you can comment on or make changes to this bug.