1755614 – SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA' which are not listed or need to modify according to IANA names

Bug 1755614 - SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA' which are not listed or need to modify according to IANA names

Summary: SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-S...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Foreman Proxy
Sub Component:
Version:	6.6.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	6.7.0
Assignee:	Lukas Zapletal
QA Contact:	Lukas Pramuk
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-25 20:11 UTC by Ganesh Payelkar
Modified:	2020-04-14 13:26 UTC (History)
CC List:	9 users (show)
Fixed In Version:	tfm-rubygem-smart_proxy_dynflow_core-0.2.4,foreman-proxy-1.24.0-0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-14 13:26:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	27865	Normal	Closed	Previous definition and unused CBC ciphers	2021-01-13 19:34:16 UTC
Foreman Issue Tracker	27993	Normal	Closed	Remove unused CBC ciphers	2021-01-13 19:34:58 UTC
Red Hat Product Errata	RHSA-2020:1454	None	None	None	2020-04-14 13:26:11 UTC

Description Ganesh Payelkar 2019-09-25 20:11:26 UTC

Description of problem:

SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA' which are not listed or need to modify according to IANA names

Version-Release number of selected component (if applicable):
satellite-6.6.0-6.el7sat.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install new satellite 6.6
2. Check which ciphers listed for 8008 and 9090
3. 

Actual results:

# diff /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.2.2/lib/smart_proxy_dynflow_core/webrick-patch.rb /usr/share/foreman-proxy/lib/webrick-patch.rb
3,6c3,6
< CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384',
<            'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-RSA-AES256-CBC-SHA',
<            'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256',
<            'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze
---
> CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256','ECDHE-RSA-AES256-GCM-SHA384',
>            'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA',
>            'AES128-GCM-SHA256','AES256-GCM-SHA384','AES128-SHA256',
>            'AES256-SHA256','AES128-SHA','AES256-SHA']
10d9
<     # rubocop:disable Metrics/AbcSize
15c14
<         cert, key = Utils.create_self_signed_cert(1024, cn, comment)
---
>         cert, key = Utils::create_self_signed_cert(1024, cn, comment)
21c20
<       ctx.ciphers = (CIPHERS - SmartProxyDynflowCore::Settings.instance.ssl_disabled_ciphers).join(':')
---
>       ctx.ciphers = (CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers).join(':')
37d35
<     # rubocop:enable Metrics/AbcSize
 
 
==============================================================================
# for port in 8008 9090; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port; done
8008:
 
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-25 23:54 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
8008/tcp open  http
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong
 
Nmap done: 1 IP address (1 host up) scanned in 3.73 seconds
9090:
 
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-25 23:54 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
9090/tcp open  zeus-admin
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong
 
Nmap done: 1 IP address (1 host up) scanned in 3.93 seconds


Expected results:

We should have correct ciphers listed and is used for internal components.

Additional info: 

There is no such ciphers 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-RSA-AES256-CBC-SHA' listed in
https://testssl.sh/openssl-iana.mapping.html
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

I see below Openssl cipher name and  related IANA name if these we were trying to add: 

ECDHE-RSA-AES128-SHA	ECDH	AES	128	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA	ECDH	AES	256	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Comment 7 Lukas Zapletal 2019-10-03 06:39:15 UTC

Thanks I will go ahead and delete those two guys from the list.

Comment 8 Lukas Zapletal 2019-10-03 06:40:09 UTC

Created redmine issue https://projects.theforeman.org/issues/27993 from this bug

Comment 9 Bryan Kearney 2019-10-21 14:06:41 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27993 has been resolved.

Comment 12 Lukas Pramuk 2019-11-29 09:57:48 UTC

VERIFIED.

@satellite-6.7.0-4.beta.el7sat.noarch
foreman-proxy-1.24.0-0.4.RC2.el7sat.noarch
tfm-rubygem-smart_proxy_dynflow_core-0.2.4-1.el7sat.noarch

by following sanity checks:

# for f in $(find / -path */webrick-patch.rb); do echo $f: ; grep -A2 ^CIPHERS $f ; done
/usr/share/foreman-proxy/lib/webrick-patch.rb:
CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384',
           'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256',
           'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze
/opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.2.4/lib/smart_proxy_dynflow_core/webrick-patch.rb:
CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384',
           'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256',
           'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze

>>> both bogus ciphers (ECDHE-RSA-AES128-CBC-SHA, ECDHE-RSA-AES256-CBC-SHA) are removed from code

# for port in 8008 9090; do echo $port:; nmap --script +ssl-enum-ciphers $(hostname) -p $port; done
...

8008/tcp open  http
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong
...

9090/tcp open  zeus-admin
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong


>>> ciphers enumeration shows no difference which is expected

Comment 15 errata-xmlrpc 2020-04-14 13:26:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454

Note You need to log in before you can comment on or make changes to this bug.