This RFE is already in Satellite 6.3.1 *except* for the qpid stack which we are including in 6.3.2 with the addition of:

https://bugzilla.redhat.com/show_bug.cgi?id=1570003

custom-hiera.yaml settings to disable TLS 1.1 for all services but dispatch router:


---
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1',
'-TLSv1.1', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']

QPID Dispatch router instructions will be added when avail.

Can you please also paste in Puppet 4 setting for CUs who'll be/are on Puppet4

FailedQA.

@satellite-6.3.1-3.el7sat.noarch
foreman-installer-1.15.6.8-1.el7sat.noarch
katello-installer-base-3.4.5.29-2.el7sat.noarch
foreman-proxy-1.15.6.4-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml
# cat >> /etc/foreman-installer/custom-hiera.yaml << EOF
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']
EOF

2) Run install to apply custom settings 
# satellite-installer

3) Check TLS protocols
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy has issue !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow has issue !!!

8140:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> puppet3 is OK

443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> passenger is OK

5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 

>>> crane is OK

8443:
|   TLSv1.1: 
|   TLSv1.2: 

>>> tomcat has issue

Maybe some services weren't refreshed after configuration change (i.e. installer bugs)

4) Restart services
# katello-service restart

5) Check TLS protocols once again
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow issue persists !!!

8443:
|   TLSv1.1: 
|   TLSv1.2: 

>>> tomcat changed its mind, it means there is installer bug (tomcat service is not refreshed after config change)

Upstream bug assigned to stbenjam@redhat.com

For tomcat in previous comment it should be ofc TLS1.2 only: 

8443:
|   TLSv1.2:


For dynflow and smart-proxy the tls setting is not populated >>> installer issue 


 # grep -A2 tls /etc/foreman-proxy/settings.yml 
<empty>

# grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml 
<empty>

# grep -rn tls_disabled_versions /usr/share/foreman*
<empty>

>>> the installer and also foreman-proxy code is missing

FailedQA.

@satellite-6.3.2-1.el7sat.noarch (Snap2)
foreman-installer-1.15.6.9-1.el7sat.noarch
katello-installer-base-3.4.5.31-1.el7sat.noarch
foreman-proxy-1.15.6.5-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

by steps described in comment#5 and comment#6:

5) Check TLS protocols once again (after services restart
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.1: 
|   TLSv1.2: 

>>> dynflow issue persists !!!


The only progress made is that foreman-proxy tls setting is now populated but still not reflected:
While dynflow_core tls setting is not even populated !!!

# grep -A2 tls /etc/foreman-proxy/settings.yml 
:tls_disabled_versions:
  - 1.1

# grep -A2 tls /etc/smart_proxy_dynflow_core/settings.yml 
<empty>



When I quoted the result in /etc/foreman-proxy/settings.yml
:tls_disabled_versions:
  - '1.1'

and restarted foreman-proxy service I got it working

9090:
|   TLSv1.2:

6.3 needs this for the installer:
  https://github.com/theforeman/puppet-foreman_proxy/commit/27b398192b9994a043f2d99fe46170d979eb487b#diff-4046205259659dfbef70f2a1d598d20d

I will look into the quoting issue. It's probably a difference in how the installer is handling things, but without quotes it'll be interpreted as a float, and that's probably correct behaviour.

> YAML.load("\n---\n:tls_disabled_versions:\n  - '1.1'\n")[:tls_disabled_versions].first.class
=> String
> YAML.load("\n---\n:tls_disabled_versions:\n  - 1.1\n")[:tls_disabled_versions].first.class
=> Float

FailedQA.

@satellite-6.3.2-1.el7sat.noarch
foreman-installer-1.15.6.10-1.el7sat.noarch
katello-installer-base-3.4.5.32-1.el7sat.noarch
foreman-proxy-1.15.6.5-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch


by steps described in comment#5 and comment#6:

5) Check TLS protocols once again (after services restart
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.1: 
|   TLSv1.2: 

>>> smart-proxy issue persists !!!

8008:
|   TLSv1.2: 
8140:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
8443:
|   TLSv1.2:

More debug info:

# grep foreman_proxy::tls /etc/foreman-installer/custom-hiera.yaml
foreman_proxy::tls_disabled_versions: ['1.1']   << quoted
    
   vs.

# grep -A2 tls /etc/foreman-proxy/settings.yml 
:tls_disabled_versions:
  - 1.1     << unquoted, so ignored !!!



While dynflow_core is happy:

# grep ::dynflow:: /etc/foreman-installer/custom-hiera.yaml
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']  << quoted  

   vs.

# grep -A1 tls /etc/smart_proxy_dynflow_core/settings.yml 
:tls_disabled_versions: ["1.1"]   << quoted

VERIFIED.

@satellite-6.3.2-1.el7sat.noarch (Snap5)
foreman-installer-1.15.6.11-1.el7sat.noarch
katello-installer-base-3.4.5.32-1.el7sat.noarch
foreman-proxy-1.15.6.6-1.el7sat.noarch
rubygem-smart_proxy_dynflow-0.1.10.1-2.el7sat.noarch

1) Add custom settings into /etc/foreman-installer/custom-hiera.yaml
# cat >> /etc/foreman-installer/custom-hiera.yaml << EOF
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: '-ALL +TLSv1.2'

# Puppet4 
# hardened by default to TLSv1.2, no need to set
# puppet::server_ssl_protocols: ['TLSv1.2']

# Apache
apache::mod::ssl::ssl_protocol: ['-ALL', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']
EOF

2) Run installer to apply custom settings 
# satellite-installer

3) Restart services to resolve possibly not refreshed services
# katello-service restart

4) Check TLS protocols
# for port in 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers $(hostname) -p $port| grep -e weak -e TLSv -e SSLv ; done
9090:
|   TLSv1.2: 
8008:
|   TLSv1.2: 
8140:
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
8443:
|   TLSv1.2: 

5) Upgrade to Puppet4
# subscription-manager repos --enable rhel-7-server-satellite-6.3-puppet4-rpms
# satellite-installer --upgrade-puppet

6) Check Puppet4
# nmap --script +ssl-enum-ciphers $(hostname) -p 8140| grep -e weak -e TLSv -e SSLv
|   TLSv1.2: 

>>> smart-proxy, dynflow_core, puppet3, passenger, crane, tomcat can be restricted to use only TLSv1.2
>>> puppet4 is resctricted to TLSv1.2 by default, however it can be loosened in custom-hiera

1) Configured a 6.3 server with P4 and no configuration overrides so we still see weak ciphers except for P4's 8140:

# for port in 5647 9090 8008 8140 443 5000 8443; do echo $port:; nmap --script +ssl-enum-ciphers sat-r220-06.lab.eng.rdu2.redhat.com -p $port| grep -e weak -e TLSv -e SSLv ; done
5647:
|   TLSv1.0: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|   TLSv1.1: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|   TLSv1.2: 
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|_  least strength: weak
9090:
|   TLSv1.1: 
|   TLSv1.2: 
8008:
|   TLSv1.2: 
8140:
|   TLSv1.2: 
443:
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2: 
5000:
|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|   TLSv1.1: 
|   TLSv1.2: 
8443:
|   TLSv1.2: 

2) registered a RHEL5 client and installed + configured Puppet 4. Ran puppet:

# puppet agent --test --noop --tags no_such_tag --waitforcert 10
Info: Creating a new SSL key for ibm-x3650m4-01-vm-13.lab.eng.bos.redhat.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
...
Notice: /File[/var/lib/puppet/lib/puppet/type/file_line.rb]/ensure: defined content as '{md5}a1eceef6bd7cbfe99892cf3ee57ef2b4'
Info: Loading facts
Info: Applying configuration version '1529006453'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Applied catalog in 0.05 seconds

worked fine. Marking VERIFIED, Puppet 4 properly supports TLS 1.2 so this is a non-issue.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1950