1552241 – Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]

Summary: Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.6
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Christian Heimes
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1540789
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-06 19:28 UTC by Oneata Mircea Teodor
Modified:	2022-07-09 09:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.5.1-10.el7
Doc Type:	No Doc Update
Doc Text:	FIPS ciphers were previously documented for the server in https://bugzilla.redhat.com/show_bug.cgi?id=1539125 - restrict default cipher suite to those ciphers permitted in fips mode; this is merely applying similar logic to the command-line tool.
Clone Of:	1540789
Environment:
Last Closed:	2018-06-26 16:47:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:1979	0	None	None	None	2018-06-26 16:48:27 UTC

Description Oneata Mircea Teodor 2018-03-06 19:28:40 UTC

This bug has been copied from bug #1540789 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-03-08 02:43:53 UTC

commit 16c9f4aae71708c6cd3e729d60f937551315da67 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christian Heimes <cheimes>
Date:   Thu Feb 22 10:22:41 2018 +0100

    Modernize sslget's TLS version and cipher suite
    
    Disable all cipher suites unless NSS says it's a FIPS approved suite.
    
    * SSL 2.0 and SSL 3.0 are disabled
    * Broken or weak suites with 3DES, RC4 and effective key bits less than
      80 bits are disabled.
    
    Fixes: https://pagure.io/dogtagpki/issue/2918
    Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
    Signed-off-by: Christian Heimes <cheimes>
    (cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240)

Comment 3 Matthew Harmsen 2018-03-14 01:33:11 UTC

QE Test Procedure:

(1) Install the latest NSS (e. g. - >= nss-3.34.0-4):

# rpm -q nss
nss-3.34.0-4.el7.x86_64

(2) Install a basic CA:

# script -c "pkispawn -s CA -f /root/pki/CA.cfg -vvv" typescript.ca

where '/root/pki/ca.cfg' contains:

[DEFAULT]
pki_admin_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>

(3) Create a raw internal password file in '/tmp/password.conf':

# cd /var/lib/pki/pki-tomcat/conf

# cp -p password.conf /tmp/password.conf

# vi /tmp/password.conf
   * remove "internal="
   * delete "internaldb=<password>
   * delete "replicationdb=<number>

(4) Run the following sslget() command:

# sslget -d /var/lib/pki/pki-tomcat/alias -w /tmp/password.conf -n 'Server-Cert cert-pki-tomcat' -v -r 'http://<fqdn>' <fqdn>:80 >/tmp/ciphers 2>&1

(5) Edit and sort /tmp/ciphers:

# vi /tmp/ciphers
   * delete the first four lines
   * delete the last four lines

# sort /tmp/ciphers > /tmp/ciphers.sorted

# ca /tmp/ciphers.sorted
disabled TLS_AES_256_GCM_SHA384                        (not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256                  (not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384           (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA                  (disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     (not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA          (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA               (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA         (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA                 (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              (disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           (disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         (disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA                   (disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA                (disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA            (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                    (disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA                 (disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA                 (3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                      (disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                         (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                      (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                         (disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                      (not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                      (not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                     (disabled by default)
enabled  TLS_AES_128_GCM_SHA256                   
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    
enabled  TLS_RSA_WITH_AES_128_CBC_SHA             
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256          
enabled  TLS_RSA_WITH_AES_256_CBC_SHA             
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384

Comment 5 bhavik 2018-04-26 12:29:55 UTC

Verified with build

[root@pki1 conf]# rpm -qa | grep pki
pki-tools-10.5.1-11.el7.x86_64
pki-tks-10.5.1-10.el7pki.noarch
pki-tps-10.5.1-10.el7pki.x86_64
pki-symkey-10.5.1-11.el7.x86_64
pki-base-java-10.5.1-11.el7.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-server-10.5.1-11.el7.noarch
pki-kra-10.5.1-11.el7.noarch
pki-ca-10.5.1-11.el7.noarch
redhat-pki-10.5.1-2.el7pki.noarch
pki-base-10.5.1-11.el7.noarch
redhat-pki-console-theme-10.5.1-2.el7pki.noarch
pki-ocsp-10.5.1-10.el7pki.noarch
redhat-pki-server-theme-10.5.1-2.el7pki.noarch

[root@pki1 ~]# rpm -q nss
nss-3.34.0-4.el7.x86_64

[root@pki1 conf]# cp -p password.conf /tmp/password.conf
[root@pki1 conf]# vi /tmp/password.conf 

[root@pki1 conf]# certutil -L -d /var/lib/pki/topology-02-CA/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-topology-02-CA CA                       u,u,u
subsystemCert cert-topology-02-CA                            u,u,u
caSigningCert cert-topology-02-CA CA                         CTu,Cu,Cu
auditSigningCert cert-topology-02-CA CA                      u,u,Pu
Server-Cert cert-topology-02-CA                              u,u,u

[root@pki1 conf]# sslget -d /var/lib/pki/topology-02-CA/alias/ -w /tmp/password.conf -n 'Server-Cert cert-topology-02-CA' -v -r 'http://pki1.example.com' pki1.example.com:80 >/tmp/ciphers 2>&1

[root@pki1 conf]# sort /tmp/ciphers > /tmp/ciphers.sorted
[root@pki1 conf]# cat /tmp/ciphers.sorted 
disabled TLS_AES_256_GCM_SHA384                    	(not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256              	(not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA         	(3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       	(disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA     	(disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA     	(disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA              	(disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA              	(disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA         	(3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA     	(disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA     	(disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 	(not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA              	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA      	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA       	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA       	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA              	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA           	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA     	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	(not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA             	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA          	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA       	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	(not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA               	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA            	(disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA        	(disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA         	(disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA         	(disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                	(disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA             	(disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA             	(3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA         	(disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA         	(disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                  	(disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                     	(disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                  	(disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                     	(disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                  	(not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                  	(not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                 	(disabled by default)
enabled  TLS_AES_128_GCM_SHA256                    
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA          
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA      
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA      
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA        
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA        
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     
enabled  TLS_RSA_WITH_AES_128_CBC_SHA              
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256           
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256           
enabled  TLS_RSA_WITH_AES_256_CBC_SHA              
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256           
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384           

List of ciphers matches with the one mentioned in comment #3, hence marking this as verified.

Comment 7 errata-xmlrpc 2018-06-26 16:47:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979

Note You need to log in before you can comment on or make changes to this bug.