This RFE is already in Satellite 6.3.1 *except* for the qpid stack which we are including in 6.3.2 with the addition of:

https://bugzilla.redhat.com/show_bug.cgi?id=1570003

custom-hiera.yaml settings to disable TLS 1.1 for all services but dispatch router:


---
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1',
'-TLSv1.1', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']

QPID Dispatch router instructions will be added when avail.

Can you please also paste in Puppet 4 setting for CUs who'll be/are on Puppet4

FailedQA.

@satellite-6.3.1-3.el7sat.noarch
foreman-installer-1.15.6.8-1.el7sat.noarch
katello-installer-base-3.4.5.29-2.el7sat.noarch
foreman-proxy-1.15.6.4-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml
# cat >> /etc/foreman-installer/custom-hiera.yaml << EOF
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']
EOF

2) Run install to apply custom settings 
# satellite-installer

3) Check TLS protocols
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy has issue !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow has issue !!!

8140:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> puppet3 is OK

443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> passenger is OK

5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> crane is OK

8443:
|   TLSv1.1: 
|   TLSv1.2: 

>>> tomcat has issue

Maybe some services weren't refreshed after configuration change (i.e. installer bugs)

4) Restart services
# katello-service restart

5) Check TLS protocols once again
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow issue persists !!!

8443:
|   TLSv1.1: 
|   TLSv1.2: 

>>> tomcat changed its mind, it means there is installer bug (tomcat service is not refreshed after config change)

Upstream bug assigned to stbenjam

For tomcat in previous comment it should be ofc TLS1.2 only: 

8443:
|   TLSv1.2:


For dynflow and smart-proxy the tls setting is not populated >>> installer issue 


 # grep -A2 tls /etc/foreman-proxy/settings.yml 
<empty>

# grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml 
<empty>

# grep -rn tls_disabled_versions /usr/share/foreman*
<empty>

>>> the installer and also foreman-proxy code is missing

FailedQA.

@satellite-6.3.2-1.el7sat.noarch (Snap2)
foreman-installer-1.15.6.9-1.el7sat.noarch
katello-installer-base-3.4.5.31-1.el7sat.noarch
foreman-proxy-1.15.6.5-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

by steps described in comment#5 and comment#6:

5) Check TLS protocols once again (after services restart
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow issue persists !!!


The only progress made is that foreman-proxy tls setting is now populated but still not reflected:
While dynflow_core tls setting is not even populated !!!

# grep -A2 tls /etc/foreman-proxy/settings.yml 
:tls_disabled_versions:
  - 1.1

# grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml 
<empty>



When I quoted the result in /etc/foreman-proxy/settings.yml
:tls_disabled_versions:
  - '1.1'

and restarted foreman-proxy service I got it working

9090:
|   TLSv1.2:

6.3 needs this for the installer:
  https://github.com/theforeman/puppet-foreman_proxy/commit/27b398192b9994a043f2d99fe46170d979eb487b#diff-4046205259659dfbef70f2a1d598d20d

I will look into the quoting issue. It's probably a difference in how the installer is handling things, but without quotes it'll be interpreted as a float, and that's probably correct behaviour.

> YAML.load("\n---\n:tls_disabled_versions:\n  - '1.1'\n")[:tls_disabled_versions].first.class
=> String
> YAML.load("\n---\n:tls_disabled_versions:\n  - 1.1\n")[:tls_disabled_versions].first.class
=> Float

FailedQA.

@satellite-6.3.2-1.el7sat.noarch
foreman-installer-1.15.6.10-1.el7sat.noarch
katello-installer-base-3.4.5.32-1.el7sat.noarch
foreman-proxy-1.15.6.5-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch


by steps described in comment#5 and comment#6:

5) Check TLS protocols once again (after services restart
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.2: 
8140:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
8443:
|   TLSv1.2:

More debug info:

# grep foreman_proxy::tls /etc/foreman-installer/custom-hiera.yaml
foreman_proxy::tls_disabled_versions: ['1.1']   << quoted
    
   vs.

# grep -A2 tls /etc/foreman-proxy/settings.yml 
:tls_disabled_versions:
  - 1.1     << unquoted, so ignored !!!



While dynflow_core is happy:

# grep ::dynflow:: /etc/foreman-installer/custom-hiera.yaml
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']  << quoted  

   vs.

# grep -A1 tls /etc/smart_proxy_dynflow_core/settings.yml 
:tls_disabled_versions: ["1.1"]   << quoted

VERIFIED.

@satellite-6.3.2-1.el7sat.noarch (Snap5)
foreman-installer-1.15.6.11-1.el7sat.noarch
katello-installer-base-3.4.5.32-1.el7sat.noarch
foreman-proxy-1.15.6.6-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml
# cat >> /etc/foreman-installer/custom-hiera.yaml << EOF
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'

# Puppet4 
# hardened by default to TLSv1.2, no need to set
# puppet::server_ssl_protocols: ['TLSv1.2']

# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']
EOF

2) Run installer to apply custom settings 
# satellite-installer

3) Restart services to resolve possibly not refreshed services
# katello-service restart

4) Check TLS protocols
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers $(hostname) -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.2: 
8008:
|   TLSv1.2: 
8140:
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
8443:
|   TLSv1.2: 

5) Upgrade to Puppet4
# subscription-manager repos --enable rhel-7-server-satellite-6.3-puppet4-rpms
# satellite-installer --upgrade-puppet

6) Check Puppet4
# nmap --script +ssl-enum-ciphers $(hostname) -p 8140| grep -e weak -e TLSv -e SSLv
|   TLSv1.2: 

>>> smart-proxy, dynflow_core, puppet3, passenger, crane, tomcat can be restricted to use only TLSv1.2
>>> puppet4 is resctricted to TLSv1.2 by default, however it can be loosened in custom-hiera

1) Configured a 6.3 server with P4 and no configuration overrides so we still see weak ciphers except for P4's 8140:

# for port in 5647 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers sat-r220-06.lab.eng.rdu2.redhat.com -p $port| grep -e weak -e TLSv -e SSLv ; done
5647:
|   TLSv1.0: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|   TLSv1.1: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|   TLSv1.2: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|_  least strength: weak
9090:
|   TLSv1.1: 
|   TLSv1.2: 
8008:
|   TLSv1.2: 
8140:
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2: 
8443:
|   TLSv1.2: 

2) registered a RHEL5 client and installed + configured Puppet 4. Ran puppet:

# puppet agent --test --noop --tags no_such_tag --waitforcert 10
Info: Creating a new SSL key for ibm-x3650m4-01-vm-13.lab.eng.bos.redhat.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
...
Notice: /File[/var/lib/puppet/lib/puppet/type/file_line.rb]/ensure: defined content as '{md5}a1eceef6bd7cbfe99892cf3ee57ef2b4'
Info: Loading facts
Info: Applying configuration version '1529006453'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Applied catalog in 0.05 seconds

worked fine. Marking VERIFIED, Puppet 4 properly supports TLS 1.2 so this is a non-issue.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1950

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days