Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Tomcat as used by Candlepin ignores the sslProtocol setting. I want to offer TLSv1.1 and TLSv1.2 only and I modify /etc/tomcat/server.xml accordingly but it does not pick up.
In contrast, modifying the cipher list on the same file applies just as expected.
Version-Release number of selected component (if applicable):
Verified on tomcat-7.0.69-11.el7_3.noarch on Satellite 6.2.10.
How reproducible:
Every time.
Steps to Reproduce:
1. Open /etc/tomcat/server.xml and edit the 8443 connector settings
2. Change sslProtocols from "TLSv1.2,TLSv1.1,TLSv1" to simply "TLSv1.2"
3. Save, restart tomcat service
4. # nmap --script +ssl-enum-ciphers localhost -p 8443
Actual results:
TLSv1.0 and TLSv1.1 and TLSv1.2 are still offered:
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Expected results:
Only TLSv1.2 should be offered i.e. something like this output only:
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Additional info:
/var/log/catalina.log says: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1.2,TLSv1.1,TLSv1' did not find a matching property.
I also tried replacing 'sslProtocols' with 'sslProtocol' (singular) as this is the correct keyword. Still, tomcat did not pick the change and kept offering TLSv1.1 and TLSv1.0.
In contrast, setting the cipher list on the same connector was correctly picked by tomcat.
The Tomcat 7 documentation (https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) is somewhat ambiguous here.
There are two supported options, sslEnabledProtocols and sslProtocol. Both options support the JVM constants for SSL/TLS protocol versions (https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext) and the documentation notes that the options "overlap." The difference between the two isn't really spelled out although from searching it seems that one option is retained for compatibility reasons.
My recommendation would therefore be to set both values to "TLSv1.1,TLSv1.2" to support TLS 1.1 and 1.2. TLSv1 should not be enabled unless there is no other choice due to older clients. No SSL version should ever be enabled due to well known protocol vulnerabilities (e.g. POODLE). If we wanted to enforce TLSv1.2 only the correct setting would be "TLSv1.2". Using 1.2 only is an admirable goal, but client considerations may demand otherwise.
This change would need to be implemented in the Satellite installer along with setting the file mode to 660 and the ownership to root.tomcat (the ownership should already be correct).
I did see a note in one of our deployment scripts reading "For the time being, TLSv1 needs to stay enabled to support existing python-rhsm based clients." That comment is pretty old, but probably warrants further investigation.
After talking with some members of the M2Crypto team, it appears there is no support for TLS 1.1 in RHEL 5. In light of that, I would recommend both "sslProtocol" and "sslEnabledProtocols" be set to "TLSv1,TLSv1.1,TLSv1.2".
Description of problem: Tomcat as used by Candlepin ignores the sslProtocol setting. I want to offer TLSv1.1 and TLSv1.2 only and I modify /etc/tomcat/server.xml accordingly but it does not pick up. In contrast, modifying the cipher list on the same file applies just as expected. Version-Release number of selected component (if applicable): Verified on tomcat-7.0.69-11.el7_3.noarch on Satellite 6.2.10. How reproducible: Every time. Steps to Reproduce: 1. Open /etc/tomcat/server.xml and edit the 8443 connector settings 2. Change sslProtocols from "TLSv1.2,TLSv1.1,TLSv1" to simply "TLSv1.2" 3. Save, restart tomcat service 4. # nmap --script +ssl-enum-ciphers localhost -p 8443 Actual results: TLSv1.0 and TLSv1.1 and TLSv1.2 are still offered: PORT STATE SERVICE 8443/tcp open https-alt | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL |_ least strength: strong Expected results: Only TLSv1.2 should be offered i.e. something like this output only: PORT STATE SERVICE 8443/tcp open https-alt | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL |_ least strength: strong Additional info: /var/log/catalina.log says: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1.2,TLSv1.1,TLSv1' did not find a matching property. I also tried replacing 'sslProtocols' with 'sslProtocol' (singular) as this is the correct keyword. Still, tomcat did not pick the change and kept offering TLSv1.1 and TLSv1.0. In contrast, setting the cipher list on the same connector was correctly picked by tomcat.