Bug 1469169 - Weak ciphers (3DES) should not be enabled by default anymore
Weak ciphers (3DES) should not be enabled by default anymore
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Jack Magne
Asha Akkiangady
Marc Muehlfeld
Depends On:
  Show dependency treegraph
Reported: 2017-07-10 10:48 EDT by Thorsten Scherf
Modified: 2018-04-10 13:01 EDT (History)
4 users (show)

See Also:
Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Enhancement
Doc Text:
Certificate System disables weak 3DES ciphers by default By default, Certificate System now disables ciphers based on the weak Triple Data Encryption Standard (3DES). This increases the security of the system. However, administrators are able to enable these ciphers again, if needed. For details, see https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/configuring-ciphers. As a result, new Certificate System installations have only strong ciphers enabled by default.
Story Points: ---
Clone Of:
Last Closed: 2018-04-10 13:00:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0925 None None None 2018-04-10 13:01 EDT

  None (edit)
Description Thorsten Scherf 2017-07-10 10:48:44 EDT
Description of problem:

I see the following two ciphers enabled by default in the base/server/share/conf/ciphers.info file:


Can we disable those ciphers by default so that they need to be explicitly enabled in case they are needed?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
Comment 1 Jack Magne 2017-10-31 20:21:45 EDT
commit 5ada777e54d0e79588c5516e18eefdbccbe36cea
Author: Jack Magne <jmagne@redhat.com>
Date:   Wed Oct 4 10:50:46 2017 -0700

    Fix Weak ciphers (3DES) should not be enabled by default anymore.
    Ticket: https://pagure.io/dogtagpki/issue/2821
    This fix simply does the following:
    1.  Makes sure that the ciphers below are not enabled by default on new
    installations of a CS subsystem:
    2. The informational text file ciphers.info has been updated to reflect the change.
    To restate, this only affects brand new installs. Existing instances will have to be
    modified manually, but this is not a huge task.

    3. Since the idea was to remove 3DES related ciphers, decided to disable the rest of
    those involving 3DES. They can be rescued if required by the user.

    Change-Id: I1fbef9fbe0fa509a65e167161e30f41204d4197d

commit 78e4bbc4b696b52036fa18caff5f92c02dc80d88
Comment 3 Amol K 2017-12-18 02:12:31 EST
I tested this Bugzilla on 10.5.1-5 version. 

In file /etc/pki/<instance_name>/ciphers.info, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA algorithms are disabled by default.

Verifying this bug.
Comment 8 errata-xmlrpc 2018-04-10 13:00:07 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.