Bug 1469169 - Weak ciphers (3DES) should not be enabled by default anymore
Weak ciphers (3DES) should not be enabled by default anymore
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: RHCS Maintainers
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-10 10:48 EDT by Thorsten Scherf
Modified: 2017-11-02 21:20 EDT (History)
3 users (show)

See Also:
Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: Previously we had some 3DES based ciphers still enabled within the dogtag server. This is technically considered ok, due to the fact that these ciphers are still considered marginally acceptable at this point. Consequence: We decided that it would be better to disable these ciphers by default but still have them available to be reintroduced if desired by the user. Fix: We have disabled said ciphers by default. Result: Now a brand new installation of the server will run with well regarded ciphers available only, increasing security.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thorsten Scherf 2017-07-10 10:48:44 EDT
Description of problem:

I see the following two ciphers enabled by default in the base/server/share/conf/ciphers.info file:

+TLS_RSA_WITH_3DES_EDE_CBC_SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Can we disable those ciphers by default so that they need to be explicitly enabled in case they are needed?

Version-Release number of selected component (if applicable):
pki-core-10.4.1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jack Magne 2017-10-31 20:21:45 EDT
commit 5ada777e54d0e79588c5516e18eefdbccbe36cea
Author: Jack Magne <jmagne@redhat.com>
Date:   Wed Oct 4 10:50:46 2017 -0700

    Fix Weak ciphers (3DES) should not be enabled by default anymore.
   
    Ticket: https://pagure.io/dogtagpki/issue/2821
   
    This fix simply does the following:
   
    1.  Makes sure that the ciphers below are not enabled by default on new
    installations of a CS subsystem:
   
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   
    2. The informational text file ciphers.info has been updated to reflect the change.
   
    To restate, this only affects brand new installs. Existing instances will have to be
    modified manually, but this is not a huge task.

    3. Since the idea was to remove 3DES related ciphers, decided to disable the rest of
    those involving 3DES. They can be rescued if required by the user.

    Change-Id: I1fbef9fbe0fa509a65e167161e30f41204d4197d

commit 78e4bbc4b696b52036fa18caff5f92c02dc80d88

Note You need to log in before you can comment on or make changes to this bug.