Bug 1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]
Summary: Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Keywords: TestCaseProvided, ZStream
Depends On: 1540789
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-06 19:28 UTC by Oneata Mircea Teodor
Modified: 2018-06-26 16:48 UTC (History)
4 users (show)

(edit)
FIPS ciphers were previously documented for the server in  https://bugzilla.redhat.com/show_bug.cgi?id=1539125 -  restrict default cipher suite to those ciphers permitted in fips mode; this is merely applying similar logic to the command-line tool.
Clone Of: 1540789
(edit)
Last Closed: 2018-06-26 16:47:58 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1979 None None None 2018-06-26 16:48 UTC

Description Oneata Mircea Teodor 2018-03-06 19:28:40 UTC
This bug has been copied from bug #1540789 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-03-08 02:43:53 UTC
commit 16c9f4aae71708c6cd3e729d60f937551315da67 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu Feb 22 10:22:41 2018 +0100

    Modernize sslget's TLS version and cipher suite
    
    Disable all cipher suites unless NSS says it's a FIPS approved suite.
    
    * SSL 2.0 and SSL 3.0 are disabled
    * Broken or weak suites with 3DES, RC4 and effective key bits less than
      80 bits are disabled.
    
    Fixes: https://pagure.io/dogtagpki/issue/2918
    Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    (cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240)

Comment 3 Matthew Harmsen 2018-03-14 01:33:11 UTC
QE Test Procedure:

(1) Install the latest NSS (e. g. - >= nss-3.34.0-4):

# rpm -q nss
nss-3.34.0-4.el7.x86_64

(2) Install a basic CA:

# script -c "pkispawn -s CA -f /root/pki/CA.cfg -vvv" typescript.ca

where '/root/pki/ca.cfg' contains:

[DEFAULT]
pki_admin_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>

(3) Create a raw internal password file in '/tmp/password.conf':

# cd /var/lib/pki/pki-tomcat/conf

# cp -p password.conf /tmp/password.conf

# vi /tmp/password.conf
   * remove "internal="
   * delete "internaldb=<password>
   * delete "replicationdb=<number>

(4) Run the following sslget() command:

# sslget -d /var/lib/pki/pki-tomcat/alias -w /tmp/password.conf -n 'Server-Cert cert-pki-tomcat' -v -r 'http://<fqdn>' <fqdn>:80 >/tmp/ciphers 2>&1

(5) Edit and sort /tmp/ciphers:

# vi /tmp/ciphers
   * delete the first four lines
   * delete the last four lines

# sort /tmp/ciphers > /tmp/ciphers.sorted

# ca /tmp/ciphers.sorted
disabled TLS_AES_256_GCM_SHA384                        (not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256                  (not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384           (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA                  (disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     (not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA          (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA               (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA         (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA                 (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              (disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           (disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         (disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA                   (disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA                (disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA            (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                    (disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA                 (disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA                 (3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                      (disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                         (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                      (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                         (disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                      (not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                      (not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                     (disabled by default)
enabled  TLS_AES_128_GCM_SHA256                   
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    
enabled  TLS_RSA_WITH_AES_128_CBC_SHA             
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256          
enabled  TLS_RSA_WITH_AES_256_CBC_SHA             
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384

Comment 5 bhavik 2018-04-26 12:29:55 UTC
Verified with build

[root@pki1 conf]# rpm -qa | grep pki
pki-tools-10.5.1-11.el7.x86_64
pki-tks-10.5.1-10.el7pki.noarch
pki-tps-10.5.1-10.el7pki.x86_64
pki-symkey-10.5.1-11.el7.x86_64
pki-base-java-10.5.1-11.el7.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-server-10.5.1-11.el7.noarch
pki-kra-10.5.1-11.el7.noarch
pki-ca-10.5.1-11.el7.noarch
redhat-pki-10.5.1-2.el7pki.noarch
pki-base-10.5.1-11.el7.noarch
redhat-pki-console-theme-10.5.1-2.el7pki.noarch
pki-ocsp-10.5.1-10.el7pki.noarch
redhat-pki-server-theme-10.5.1-2.el7pki.noarch

[root@pki1 ~]# rpm -q nss
nss-3.34.0-4.el7.x86_64

[root@pki1 conf]# cp -p password.conf /tmp/password.conf
[root@pki1 conf]# vi /tmp/password.conf 

[root@pki1 conf]# certutil -L -d /var/lib/pki/topology-02-CA/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-topology-02-CA CA                       u,u,u
subsystemCert cert-topology-02-CA                            u,u,u
caSigningCert cert-topology-02-CA CA                         CTu,Cu,Cu
auditSigningCert cert-topology-02-CA CA                      u,u,Pu
Server-Cert cert-topology-02-CA                              u,u,u

[root@pki1 conf]# sslget -d /var/lib/pki/topology-02-CA/alias/ -w /tmp/password.conf -n 'Server-Cert cert-topology-02-CA' -v -r 'http://pki1.example.com' pki1.example.com:80 >/tmp/ciphers 2>&1

[root@pki1 conf]# sort /tmp/ciphers > /tmp/ciphers.sorted
[root@pki1 conf]# cat /tmp/ciphers.sorted 
disabled TLS_AES_256_GCM_SHA384                    	(not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256              	(not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA         	(3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       	(disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA     	(disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA     	(disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA              	(disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA              	(disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA         	(3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA     	(disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA     	(disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 	(not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA              	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA      	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA       	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA       	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA              	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA           	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA     	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	(not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA             	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA          	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA       	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	(not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA               	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA            	(disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA        	(disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA         	(disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA         	(disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                	(disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA             	(disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA             	(3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA         	(disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA         	(disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                  	(disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                     	(disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                  	(disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                     	(disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                  	(not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                  	(not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                 	(disabled by default)
enabled  TLS_AES_128_GCM_SHA256                    
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA          
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA      
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA      
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA        
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA        
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     
enabled  TLS_RSA_WITH_AES_128_CBC_SHA              
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256           
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256           
enabled  TLS_RSA_WITH_AES_256_CBC_SHA              
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256           
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384           

List of ciphers matches with the one mentioned in comment #3, hence marking this as verified.

Comment 7 errata-xmlrpc 2018-06-26 16:47:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979


Note You need to log in before you can comment on or make changes to this bug.