Bug 1469169 - Weak ciphers (3DES) should not be enabled by default anymore
Weak ciphers (3DES) should not be enabled by default anymore
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Jack Magne
Asha Akkiangady
Marc Muehlfeld
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-10 10:48 EDT by Thorsten Scherf
Modified: 2018-01-18 04:40 EST (History)
4 users (show)

See Also:
Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Enhancement
Doc Text:
Certificate System disables weak 3DES ciphers by default By default, Certificate System now disables ciphers based on the weak Triple Data Encryption Standard (3DES). This increases the security of the system. However, administrators are able to enable these ciphers again, if needed. For details, see https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/configuring-ciphers. As a result, new Certificate System installations have only strong ciphers enabled by default.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thorsten Scherf 2017-07-10 10:48:44 EDT
Description of problem:

I see the following two ciphers enabled by default in the base/server/share/conf/ciphers.info file:

+TLS_RSA_WITH_3DES_EDE_CBC_SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Can we disable those ciphers by default so that they need to be explicitly enabled in case they are needed?

Version-Release number of selected component (if applicable):
pki-core-10.4.1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jack Magne 2017-10-31 20:21:45 EDT
commit 5ada777e54d0e79588c5516e18eefdbccbe36cea
Author: Jack Magne <jmagne@redhat.com>
Date:   Wed Oct 4 10:50:46 2017 -0700

    Fix Weak ciphers (3DES) should not be enabled by default anymore.
   
    Ticket: https://pagure.io/dogtagpki/issue/2821
   
    This fix simply does the following:
   
    1.  Makes sure that the ciphers below are not enabled by default on new
    installations of a CS subsystem:
   
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   
    2. The informational text file ciphers.info has been updated to reflect the change.
   
    To restate, this only affects brand new installs. Existing instances will have to be
    modified manually, but this is not a huge task.

    3. Since the idea was to remove 3DES related ciphers, decided to disable the rest of
    those involving 3DES. They can be rescued if required by the user.

    Change-Id: I1fbef9fbe0fa509a65e167161e30f41204d4197d

commit 78e4bbc4b696b52036fa18caff5f92c02dc80d88
Comment 3 Amol K 2017-12-18 02:12:31 EST
I tested this Bugzilla on 10.5.1-5 version. 

In file /etc/pki/<instance_name>/ciphers.info, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA algorithms are disabled by default.

Verifying this bug.

Note You need to log in before you can comment on or make changes to this bug.