Created from redmine issue http://projects.theforeman.org/issues/21350
Upstream bug assigned to ehelms
Upstream bug assigned to stbenjam
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21350 has been resolved.
VERIFIED for me. similar to: https://bugzilla.redhat.com/show_bug.cgi?id=1553875#c5 NOTE: There are slightly different settings required for custom-heira.yaml on the Capsule, here is what I used: # Foreman Proxy foreman_proxy::tls_disabled_versions: ['1.0', '1.1'] foreman_proxy::ssl_disabled_ciphers: ['TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_RC4_128_SHA'] # Dynflow foreman_proxy::plugin::dynflow::ssl_disabled_ciphers: ['TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_RC4_128_SHA'] foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.0', '1.1'] # Apache pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2" foreman_proxy_content::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2" apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2'] apache::mod::ssl::ssl_cipher: '!aNULL:!eNULL:!LOW:!DES:!3DES:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS:!ADH:HIGH' #Tomcat candlepin::tls_versions: ['1.2'] # QPID Dispatch foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2'] foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA' Before tuning in custom-heira.yaml # for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers `hostname` -p $port| grep -e weak -e TLSv -e SSLv ; done 5647: | TLSv1.0: | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLSv1.1: | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLSv1.2: | TLS_RSA_WITH_IDEA_CBC_SHA - weak |_ least strength: weak 9090: | TLSv1.1: | TLSv1.2: 8008: | TLSv1.1: | TLSv1.2: 8140: | TLSv1.2: 443: | SSLv3: No supported ciphers found | TLSv1.0: | TLSv1.1: | TLSv1.2: 5000: | SSLv3: No supported ciphers found | TLSv1.0: | TLSv1.1: | TLSv1.2: 8443: | TLSv1.1: | TLSv1.2: After tuning: # for port in 5647 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers `hostname` -p $port| grep -e weak -e TLSv -e SSLv ; done 5647: | TLSv1.2: 9090: | TLSv1.2: 8008: 8140: | TLSv1.2: 443: | SSLv3: No supported ciphers found | TLSv1.2: 5000: | SSLv3: No supported ciphers found | TLSv1.2: 8443: | SSLv3: No supported ciphers found | TLSv1.2:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927