Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1552241

Summary:	Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z]
Product:	Red Hat Enterprise Linux 7	Reporter:	Oneata Mircea Teodor <toneata>
Component:	pki-core	Assignee:	Christian Heimes <cheimes>
Status:	CLOSED ERRATA	QA Contact:	Asha Akkiangady <aakkiang>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	7.6	CC:	bbhavsar, cheimes, mharmsen, msauton
Target Milestone:	rc	Keywords:	TestCaseProvided, ZStream
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	pki-core-10.5.1-10.el7	Doc Type:	No Doc Update
Doc Text:	FIPS ciphers were previously documented for the server in https://bugzilla.redhat.com/show_bug.cgi?id=1539125 - restrict default cipher suite to those ciphers permitted in fips mode; this is merely applying similar logic to the command-line tool.	Story Points:	---
Clone Of:	1540789	Environment:
Last Closed:	2018-06-26 16:47:58 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1540789
Bug Blocks:

Description Oneata Mircea Teodor 2018-03-06 19:28:40 UTC

This bug has been copied from bug #1540789 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-03-08 02:43:53 UTC

commit 16c9f4aae71708c6cd3e729d60f937551315da67 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christian Heimes <cheimes>
Date:   Thu Feb 22 10:22:41 2018 +0100

    Modernize sslget's TLS version and cipher suite
    
    Disable all cipher suites unless NSS says it's a FIPS approved suite.
    
    * SSL 2.0 and SSL 3.0 are disabled
    * Broken or weak suites with 3DES, RC4 and effective key bits less than
      80 bits are disabled.
    
    Fixes: https://pagure.io/dogtagpki/issue/2918
    Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
    Signed-off-by: Christian Heimes <cheimes>
    (cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240)

Comment 3 Matthew Harmsen 2018-03-14 01:33:11 UTC

QE Test Procedure:

(1) Install the latest NSS (e. g. - >= nss-3.34.0-4):

# rpm -q nss
nss-3.34.0-4.el7.x86_64

(2) Install a basic CA:

# script -c "pkispawn -s CA -f /root/pki/CA.cfg -vvv" typescript.ca

where '/root/pki/ca.cfg' contains:

[DEFAULT]
pki_admin_password=<password>
pki_client_pkcs12_password=<password>
pki_ds_password=<password>

(3) Create a raw internal password file in '/tmp/password.conf':

# cd /var/lib/pki/pki-tomcat/conf

# cp -p password.conf /tmp/password.conf

# vi /tmp/password.conf
   * remove "internal="
   * delete "internaldb=<password>
   * delete "replicationdb=<number>

(4) Run the following sslget() command:

# sslget -d /var/lib/pki/pki-tomcat/alias -w /tmp/password.conf -n 'Server-Cert cert-pki-tomcat' -v -r 'http://<fqdn>' <fqdn>:80 >/tmp/ciphers 2>&1

(5) Edit and sort /tmp/ciphers:

# vi /tmp/ciphers
   * delete the first four lines
   * delete the last four lines

# sort /tmp/ciphers > /tmp/ciphers.sorted

# ca /tmp/ciphers.sorted
disabled TLS_AES_256_GCM_SHA384                        (not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256                  (not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256           (disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384           (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA                  (disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA             (3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA         (disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     (not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA          (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA           (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA                  (disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA               (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA         (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA                 (disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              (disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           (disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         (disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256    (not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA                   (disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA                (disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA            (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA             (disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                    (disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA                 (disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA                 (3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA             (disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                      (disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                         (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                      (disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                         (disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                      (not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                      (not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                     (disabled by default)
enabled  TLS_AES_128_GCM_SHA256                   
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA         
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    
enabled  TLS_RSA_WITH_AES_128_CBC_SHA             
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256          
enabled  TLS_RSA_WITH_AES_256_CBC_SHA             
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256          
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384

Comment 5 bhavik 2018-04-26 12:29:55 UTC

Verified with build

[root@pki1 conf]# rpm -qa | grep pki
pki-tools-10.5.1-11.el7.x86_64
pki-tks-10.5.1-10.el7pki.noarch
pki-tps-10.5.1-10.el7pki.x86_64
pki-symkey-10.5.1-11.el7.x86_64
pki-base-java-10.5.1-11.el7.noarch
pki-console-10.5.1-5.el7pki.noarch
pki-server-10.5.1-11.el7.noarch
pki-kra-10.5.1-11.el7.noarch
pki-ca-10.5.1-11.el7.noarch
redhat-pki-10.5.1-2.el7pki.noarch
pki-base-10.5.1-11.el7.noarch
redhat-pki-console-theme-10.5.1-2.el7pki.noarch
pki-ocsp-10.5.1-10.el7pki.noarch
redhat-pki-server-theme-10.5.1-2.el7pki.noarch

[root@pki1 ~]# rpm -q nss
nss-3.34.0-4.el7.x86_64

[root@pki1 conf]# cp -p password.conf /tmp/password.conf
[root@pki1 conf]# vi /tmp/password.conf 

[root@pki1 conf]# certutil -L -d /var/lib/pki/topology-02-CA/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-topology-02-CA CA                       u,u,u
subsystemCert cert-topology-02-CA                            u,u,u
caSigningCert cert-topology-02-CA CA                         CTu,Cu,Cu
auditSigningCert cert-topology-02-CA CA                      u,u,Pu
Server-Cert cert-topology-02-CA                              u,u,u

[root@pki1 conf]# sslget -d /var/lib/pki/topology-02-CA/alias/ -w /tmp/password.conf -n 'Server-Cert cert-topology-02-CA' -v -r 'http://pki1.example.com' pki1.example.com:80 >/tmp/ciphers 2>&1

[root@pki1 conf]# sort /tmp/ciphers > /tmp/ciphers.sorted
[root@pki1 conf]# cat /tmp/ciphers.sorted 
disabled TLS_AES_256_GCM_SHA384                    	(not FIPS)
disabled TLS_CHACHA20_POLY1305_SHA256              	(not FIPS)
disabled TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA         	(3DES)
disabled TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       	(disabled by default)
disabled TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       	(disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA     	(disabled by default)
disabled TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA     	(disabled by default)
disabled TLS_DHE_DSS_WITH_DES_CBC_SHA              	(disabled by default)
disabled TLS_DHE_DSS_WITH_RC4_128_SHA              	(disabled by default)
disabled TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA         	(3DES)
disabled TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA     	(disabled by default)
disabled TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA     	(disabled by default)
disabled TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 	(not FIPS)
disabled TLS_DHE_RSA_WITH_DES_CBC_SHA              	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA      	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA       	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA       	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_NULL_SHA              	(disabled by default)
disabled TLS_ECDH_ECDSA_WITH_RC4_128_SHA           	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA     	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	(not FIPS)
disabled TLS_ECDHE_ECDSA_WITH_NULL_SHA             	(disabled by default)
disabled TLS_ECDHE_ECDSA_WITH_RC4_128_SHA          	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA       	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	(not FIPS)
disabled TLS_ECDHE_RSA_WITH_NULL_SHA               	(disabled by default)
disabled TLS_ECDHE_RSA_WITH_RC4_128_SHA            	(disabled by default)
disabled TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA        	(disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_128_CBC_SHA         	(disabled by default)
disabled TLS_ECDH_RSA_WITH_AES_256_CBC_SHA         	(disabled by default)
disabled TLS_ECDH_RSA_WITH_NULL_SHA                	(disabled by default)
disabled TLS_ECDH_RSA_WITH_RC4_128_SHA             	(disabled by default)
disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA             	(3DES)
disabled TLS_RSA_WITH_CAMELLIA_128_CBC_SHA         	(disabled by default)
disabled TLS_RSA_WITH_CAMELLIA_256_CBC_SHA         	(disabled by default)
disabled TLS_RSA_WITH_DES_CBC_SHA                  	(disabled by default)
disabled TLS_RSA_WITH_NULL_MD5                     	(disabled by default)
disabled TLS_RSA_WITH_NULL_SHA256                  	(disabled by default)
disabled TLS_RSA_WITH_NULL_SHA                     	(disabled by default)
disabled TLS_RSA_WITH_RC4_128_MD5                  	(not FIPS)
disabled TLS_RSA_WITH_RC4_128_SHA                  	(not FIPS)
disabled TLS_RSA_WITH_SEED_CBC_SHA                 	(disabled by default)
enabled  TLS_AES_128_GCM_SHA256                    
enabled  TLS_DHE_DSS_WITH_AES_128_CBC_SHA          
enabled  TLS_DHE_DSS_WITH_AES_256_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA          
enabled  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       
enabled  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA      
enabled  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA      
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   
enabled  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   
enabled  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA        
enabled  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA        
enabled  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     
enabled  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     
enabled  TLS_RSA_WITH_AES_128_CBC_SHA              
enabled  TLS_RSA_WITH_AES_128_CBC_SHA256           
enabled  TLS_RSA_WITH_AES_128_GCM_SHA256           
enabled  TLS_RSA_WITH_AES_256_CBC_SHA              
enabled  TLS_RSA_WITH_AES_256_CBC_SHA256           
enabled  TLS_RSA_WITH_AES_256_GCM_SHA384           

List of ciphers matches with the one mentioned in comment #3, hence marking this as verified.

Comment 7 errata-xmlrpc 2018-06-26 16:47:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979