1713082 – When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1713082 - When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy

Summary: When setting up mod_ssl, define range o f the TLS protocols within the system...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.1
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-22 19:59 UTC by Rob Crittenden
Modified:	2020-11-14 07:06 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 20:53:20 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3348	0	None	None	None	2019-11-05 20:53:33 UTC

Internal Links: 1775158

Description Rob Crittenden 2019-05-22 19:59:06 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/7667

With the system-wide crypto policy that allows only to use TLS 1.2 and TLS 1.3, FreeIPA still sets TLS 1.0 as allowed one in mod_ssl configuration. We need to fix FreeIPA installer to:

- detect current crypto policy settings
- change generator of mod_ssl config to use TLS range defined by the current crypto policy

On Fedora Rawhide this can be seen with `update-crypto-policy --set FUTURE` -- you need to use git master of dogtag/jss/tomcatjss packages to get through the actual installation (I fixed that and dogtag will release new packages soon) but FreeIPA still sets:

```
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
```

Comment 2 Christian Heimes 2019-07-01 13:00:23 UTC

We cannot use the system-wide crypto policies for IPA yet. The default policy enables TLS 1.3, but there are some compatibility issues with TLS 1.3 and post-handshake authentication. The current fix only enables TLS 1.2 by default and prepares TLS 1.3 support for a future release.

Fixed upstream
master:
https://pagure.io/freeipa/c/c484d79ecfa1cc284b47b88377a4c2da23b9db2f
https://pagure.io/freeipa/c/b57c818fab3bb9627a8c287766cdb5bd8071c837

Comment 13 Kaleem 2019-08-28 11:57:46 UTC

[root@master ~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf
#SSLProtocol all -SSLv3
SSLProtocol TLSv1.2
[root@master ~]# openssl s_client -connect master.testrelm.test:443 -tls1_1
CONNECTED(00000003)
140335361099584:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 133 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1566993157
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
[root@master ~]# openssl s_client -connect master.testrelm.test:443 -tls1_3
CONNECTED(00000003)
140345829889856:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 246 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[root@master ~]# openssl s_client -connect master.testrelm.test:443 -tls1_2
CONNECTED(00000003)
depth=1 O = TESTRELM.TEST, CN = Certificate Authority
verify return:1
depth=0 O = TESTRELM.TEST, CN = master.testrelm.test
verify return:1
---
Certificate chain
 0 s:O = TESTRELM.TEST, CN = master.testrelm.test
   i:O = TESTRELM.TEST, CN = Certificate Authority
 1 s:O = TESTRELM.TEST, CN = Certificate Authority
   i:O = TESTRELM.TEST, CN = Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPzCCA6egAwIBAgIBCTANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNU
UkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkw
ODI4MTA1OTU1WhcNMjEwODI4MTA1OTU1WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5U
RVNUMR0wGwYDVQQDDBRtYXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKoI7YVx3yEqdkgUKMvj03NgE1vXVuDrXKkmxHIe
GTI/2Ty6mmTmfIY8DzzhUU2P0JVRFl7VUWHk00QFN+itQ4OM3oRXr/Fq5QhHuoNQ
2EJMefHCV358Gj/LlGP0f6m94WEKnX+/dKArS01zXrUCUd6dVd1q+BGi6N8eEAM5
ewaXWJEcafQYWvGKwVuqj70/aaMiOycmUOvGaAybs51GlPR+91qA0HrJOPkQu6FR
GQvzAP7wRaUVXtomckUHvgZHo7FJLaNSv5b+fKG19/jvEsSKOpIdUWoW+BaU13Cn
jNc6RGRbiPkGzYTE692WAbbWhZv64SRFJpUM0Gk3SC3Xl3MCAwEAAaOCAdMwggHP
MB8GA1UdIwQYMBaAFBuHcUJK9UDP1ofDpagJS1gvOBNPMD8GCCsGAQUFBwEBBDMw
MTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29j
c3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3Qv
aXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwG
A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTFvDv77J45g9C1
uuVFOmk7wGjNxTCBogYDVR0RBIGaMIGXghRtYXN0ZXIudGVzdHJlbG0udGVzdKA3
BgorBgEEAYI3FAIDoCkMJ0hUVFAvbWFzdGVyLnRlc3RyZWxtLnRlc3RAVEVTVFJF
TE0uVEVTVKBGBgYrBgEFAgKgPDA6oA8bDVRFU1RSRUxNLlRFU1ShJzAloAMCAQGh
HjAcGwRIVFRQGxRtYXN0ZXIudGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOC
AYEAPuw0vPEaH9cnhfiwbDuiMT8EwWypaF1YREM1h4m7B70dvHGT54Ys6+rbMI/p
MjZQB/xcawulSFxVPUmw6CDvLWsOxOUPb9lwBGk2ytf9UKhFvnmh+BBGX7NFsXNk
337LfLfk2vq6FWWu8VIDfj/qegsJnUiDcbd57G8intSO9dfD/YNSphrzsP3tQHoU
8WznPbAE/V6yiOuLys6YVwYAVnvB//sr5W+h630WKxMAa2BtnLb9loFAXVlFH5R5
wd5COnIVX2M0rW0vVa1vBylp56MeFyXXne5HaybS5se9QwVPSmkVwMQ8XZMTLOLW
cNH0Q9qx0J+4iBXMegqymUqIZWEpNGNoFEj7rE3kE1LroEi5q4euPw6+ZdjQof5q
gNJTbfFb9vF09gOENUwswAoiZoEVHiZwks24Luu8qJpa+3D2Y23rQyJQ+b7BbyvZ
J93ZZnJg6gPF2Ghvyr2exzzYgcclNbvKUQxg5+LB41uRD8XWL8HyO7GBaDm82df7
bZRs
-----END CERTIFICATE-----
subject=O = TESTRELM.TEST, CN = master.testrelm.test

issuer=O = TESTRELM.TEST, CN = Certificate Authority

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3216 bytes and written 324 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A1C7CF7A8C789FC5E7FD31390B8FC40CB09C9E728A3FE9C00E011EDD939C1D68
    Session-ID-ctx: 
    Master-Key: 105CD7ADDADDBC050A8BD42D35BB2F42C2D0AD3C96ACC43DBEC6FA439625A0755DF53518379A294192B5C97DB062265C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9c c0 33 12 6f 58 f4 85-4c 70 7c 94 ac b4 a1 e5   ..3.oX..Lp|.....
    0010 - 3d 2d 84 ed f4 78 63 27-6a 42 7e 62 cb 50 db ff   =-...xc'jB~b.P..
    0020 - 45 55 15 1d 15 d9 46 fe-91 27 95 f9 12 94 ed 5b   EU....F..'.....[
    0030 - 3a 1f 7f 42 2d 57 49 29-c4 7c c1 85 7d 33 36 b2   :..B-WI).|..}36.
    0040 - c7 0d 75 e2 85 a0 bf cb-94 9f 9d ab fa c0 6f 95   ..u...........o.
    0050 - c1 73 16 01 30 e4 70 27-51 f7 95 54 68 8b 99 e9   .s..0.p'Q..Th...
    0060 - b9 9a 2a aa d0 8d b3 d6-1a 2a 4f 67 31 1f 6e 42   ..*......*Og1.nB
    0070 - 47 f4 03 59 f1 21 b2 91-ff 54 bc bf f4 c0 a6 36   G..Y.!...T.....6
    0080 - a8 33 a8 2d 54 75 e2 72-e0 b8 3e 11 72 99 22 e6   .3.-Tu.r..>.r.".
    0090 - 15 90 d7 0b 74 1d 6f 2a-bb 94 4e a5 22 24 b2 99   ....t.o*..N."$..
    00a0 - 39 31 8e 0a ff 02 d0 00-e9 4a a4 17 40 33 0c ca   91.......J..@3..
    00b0 - 1c 21 ac a5 ff d0 b7 f9-e1 b2 c8 ca c4 28 48 cb   .!...........(H.
    00c0 - fa 6b e5 a7 72 05 13 65-f0 33 37 87 8b e0 f2 91   .k..r..e.37.....
    00d0 - 29 7f 0e a1 e1 44 e5 64-47 ae 7b 98 9d a8 26 e2   )....D.dG.{...&.

    Start Time: 1566993163
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
^C
[root@master ~]# rpm -q ipa-server
ipa-server-4.8.0-9.module+el8.1.0+4011+fd4be199.x86_64
[root@master ~]#

Comment 15 errata-xmlrpc 2019-11-05 20:53:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348

Note You need to log in before you can comment on or make changes to this bug.