Bug 1469169 - Weak ciphers (3DES) should not be enabled by default anymore
Summary: Weak ciphers (3DES) should not be enabled by default anymore
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-10 14:48 UTC by Thorsten Scherf
Modified: 2020-10-04 21:36 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Enhancement
Doc Text:
Certificate System disables weak 3DES ciphers by default By default, Certificate System now disables ciphers based on the weak Triple Data Encryption Standard (3DES). This increases the security of the system. However, administrators are able to enable these ciphers again, if needed. For details, see https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/configuring-ciphers. As a result, new Certificate System installations have only strong ciphers enabled by default.
Clone Of:
Environment:
Last Closed: 2018-04-10 17:00:07 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2941 0 None None None 2020-10-04 21:36:23 UTC
Red Hat Product Errata RHBA-2018:0925 0 None None None 2018-04-10 17:01:04 UTC

Description Thorsten Scherf 2017-07-10 14:48:44 UTC 
Description of problem:

I see the following two ciphers enabled by default in the base/server/share/conf/ciphers.info file:

+TLS_RSA_WITH_3DES_EDE_CBC_SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Can we disable those ciphers by default so that they need to be explicitly enabled in case they are needed?

Version-Release number of selected component (if applicable):
pki-core-10.4.1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jack Magne 2017-11-01 00:21:45 UTC 
commit 5ada777e54d0e79588c5516e18eefdbccbe36cea
Author: Jack Magne <jmagne>
Date:   Wed Oct 4 10:50:46 2017 -0700

    Fix Weak ciphers (3DES) should not be enabled by default anymore.
   
    Ticket: https://pagure.io/dogtagpki/issue/2821
   
    This fix simply does the following:
   
    1.  Makes sure that the ciphers below are not enabled by default on new
    installations of a CS subsystem:
   
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   
    2. The informational text file ciphers.info has been updated to reflect the change.
   
    To restate, this only affects brand new installs. Existing instances will have to be
    modified manually, but this is not a huge task.

    3. Since the idea was to remove 3DES related ciphers, decided to disable the rest of
    those involving 3DES. They can be rescued if required by the user.

    Change-Id: I1fbef9fbe0fa509a65e167161e30f41204d4197d

commit 78e4bbc4b696b52036fa18caff5f92c02dc80d88
Comment 3 Amol K 2017-12-18 07:12:31 UTC 
I tested this Bugzilla on 10.5.1-5 version. 

In file /etc/pki/<instance_name>/ciphers.info, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA algorithms are disabled by default.

Verifying this bug.
Comment 8 errata-xmlrpc 2018-04-10 17:00:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925
Note You need to log in before you can comment on or make changes to this bug.