Bug 1540789 - Make sslget aware of TLSv1_2 ciphers
Summary: Make sslget aware of TLSv1_2 ciphers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1552241
TreeView+ depends on / blocked
 
Reported: 2018-02-01 02:26 UTC by Matthew Harmsen
Modified: 2018-10-30 11:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
FIPS ciphers were previously documented for the server in https://bugzilla.redhat.com/show_bug.cgi?id=1539125 - restrict default cipher suite to those ciphers permitted in fips mode; this is merely applying similar logic to the command-line tool.
Clone Of:
: 1552241 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:05:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3195 None None None 2018-10-30 11:06:40 UTC

Description Matthew Harmsen 2018-02-01 02:26:37 UTC
While addressing another issue, I noticed that the sslget tool was unaware of any TLSv1_2 ciphers; this functionality should be added to the tool.

Comment 2 Matthew Harmsen 2018-03-05 21:32:11 UTC
commit 27142606930f87023e7e1981dfbc76199d4dd240 (HEAD -> master, origin/master, origin/HEAD)
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu Feb 22 10:22:41 2018 +0100

    Modernize sslget's TLS version and cipher suite
    
    Disable all cipher suites unless NSS says it's a FIPS approved suite.
    
    * SSL 2.0 and SSL 3.0 are disabled
    * Broken or weak suites with 3DES, RC4 and effective key bits less than
      80 bits are disabled.
    
    Fixes: https://pagure.io/dogtagpki/issue/2918
    Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
    Signed-off-by: Christian Heimes <cheimes@redhat.com>

Comment 5 Matthew Harmsen 2018-03-14 01:32:46 UTC
QE Test Procedure:

(1) Install the latest NSS (e. g. - >= nss-3.34.0-4):

# rpm -q nss
nss-3.34.0-4.el7.x86_64

(2) Install a basic CA:

# script -c "pkispawn -s CA -f /root/pki/CA.cfg -vvv" typescript.ca

where '/root/pki/ca.cfg' contains:

[DEFAULT]
pki_admin_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>

(3) Create a raw internal password file in '/tmp/password.conf':

# cd /var/lib/pki/pki-tomcat/conf

# cp -p password.conf /tmp/password.conf

# vi /tmp/password.conf
   * remove "internal="
   * delete "internaldb=<password>
   * delete "replicationdb=<number>

(4) Run the following sslget() command:

# sslget -d /var/lib/pki/pki-tomcat/alias -w /tmp/password.conf -n 'Server-Cert cert-pki-tomcat' -v -r 'http://<fqdn>' <fqdn>:80 >/tmp/ciphers 2>&1

(5) Edit and sort /tmp/ciphers:

# vi /tmp/ciphers
   * delete the first four lines
   * delete the last four lines

# sort /tmp/ciphers > /tmp/ciphers.sorted

# ca /tmp/ciphers.sorted
disabled TLS_AES_256_GCM_SHA384                        (not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256                  (not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384           (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA                  (disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     (not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA          (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA               (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA         (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA                 (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              (disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           (disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         (disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA                   (disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA                (disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA            (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                    (disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA                 (disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA                 (3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                      (disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                         (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                      (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                         (disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                      (not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                      (not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                     (disabled by default)
enabled  TLS_AES_128_GCM_SHA256                   
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    
enabled  TLS_RSA_WITH_AES_128_CBC_SHA             
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256          
enabled  TLS_RSA_WITH_AES_256_CBC_SHA             
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384

Comment 7 bhavik 2018-08-10 14:27:18 UTC
Verified with build:

[root@pki1 conf]# rpm -q nss
nss-3.36.0-5.el7_5.x86_64

[root@pki1 conf]# rpm -qa pki-*
pki-base-java-10.5.9-4.el7.noarch
pki-tps-10.5.9-1.el7pki.x86_64
pki-javadoc-10.4.1-10.el7.noarch
pki-symkey-10.5.9-4.el7.x86_64
pki-base-10.5.9-4.el7.noarch
pki-tools-10.5.9-4.el7.x86_64
pki-server-10.5.9-4.el7.noarch
pki-kra-10.5.9-4.el7.noarch
pki-ca-10.5.9-4.el7.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-tks-10.5.9-1.el7pki.noarch
pki-ocsp-10.5.9-1.el7pki.noarch

Steps performed as per comment #5:

[root@pki1 conf]# certutil -L -d /var/lib/pki/topology-02-CA/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-topology-02-CA CA                       u,u,u
subsystemCert cert-topology-02-CA                            u,u,u
caSigningCert cert-topology-02-CA CA                         CTu,Cu,Cu
auditSigningCert cert-topology-02-CA CA                      u,u,Pu
Server-Cert cert-topology-02-CA                              u,u,u
[root@pki1 conf]# sslget -d /var/lib/pki/topology-02-CA/alias/ -w /tmp/password.conf -n 'Server-Cert cert-topology-02-CA' -v -r 'http://pki1.example.com' pki1.example.com:20080 > /tmp/ciphers 2>&1

[root@pki1 conf]# sort /tmp/ciphers > /tmp/ciphers.sorted
[root@pki1 conf]# cat /tmp/ciphers.sorted
disabled TLS_AES_256_GCM_SHA384                         (not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256                   (not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA              (3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256            (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256            (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256            (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384            (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA          (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA          (disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA                   (disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA                   (disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA              (3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA          (disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA          (disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256      (not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA                   (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA            (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA            (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA                   (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA                (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA          (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256        (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  (not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA                  (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA               (disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA            (disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256          (disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA                    (disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA                 (disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA              (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA              (disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                     (disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA                  (disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA                  (3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA              (disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA              (disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                       (disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                          (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                       (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                          (disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                       (not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                       (not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                      (disabled by default)
enabled  TLS_AES_128_GCM_SHA256
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
enabled  TLS_RSA_WITH_AES_128_CBC_SHA
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256
enabled  TLS_RSA_WITH_AES_256_CBC_SHA
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384

Comment 9 errata-xmlrpc 2018-10-30 11:05:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195


Note You need to log in before you can comment on or make changes to this bug.