Description of problem: SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA' which are not listed or need to modify according to IANA names Version-Release number of selected component (if applicable): satellite-6.6.0-6.el7sat.noarch How reproducible: Always Steps to Reproduce: 1. Install new satellite 6.6 2. Check which ciphers listed for 8008 and 9090 3. Actual results: # diff /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.2.2/lib/smart_proxy_dynflow_core/webrick-patch.rb /usr/share/foreman-proxy/lib/webrick-patch.rb 3,6c3,6 < CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384', < 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-RSA-AES256-CBC-SHA', < 'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256', < 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze --- > CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256','ECDHE-RSA-AES256-GCM-SHA384', > 'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA', > 'AES128-GCM-SHA256','AES256-GCM-SHA384','AES128-SHA256', > 'AES256-SHA256','AES128-SHA','AES256-SHA'] 10d9 < # rubocop:disable Metrics/AbcSize 15c14 < cert, key = Utils.create_self_signed_cert(1024, cn, comment) --- > cert, key = Utils::create_self_signed_cert(1024, cn, comment) 21c20 < ctx.ciphers = (CIPHERS - SmartProxyDynflowCore::Settings.instance.ssl_disabled_ciphers).join(':') --- > ctx.ciphers = (CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers).join(':') 37d35 < # rubocop:enable Metrics/AbcSize ============================================================================== # for port in 8008 9090; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port; done 8008: Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-25 23:54 IST Nmap scan report for localhost (127.0.0.1) Host is up (0.00015s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 8008/tcp open http | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 3.73 seconds 9090: Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-25 23:54 IST Nmap scan report for localhost (127.0.0.1) Host is up (0.00015s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 9090/tcp open zeus-admin | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 3.93 seconds Expected results: We should have correct ciphers listed and is used for internal components. Additional info: There is no such ciphers 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-RSA-AES256-CBC-SHA' listed in https://testssl.sh/openssl-iana.mapping.html https://www.openssl.org/docs/man1.0.2/man1/ciphers.html I see below Openssl cipher name and related IANA name if these we were trying to add: ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Thanks I will go ahead and delete those two guys from the list.
Created redmine issue https://projects.theforeman.org/issues/27993 from this bug
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27993 has been resolved.
VERIFIED. @satellite-6.7.0-4.beta.el7sat.noarch foreman-proxy-1.24.0-0.4.RC2.el7sat.noarch tfm-rubygem-smart_proxy_dynflow_core-0.2.4-1.el7sat.noarch by following sanity checks: # for f in $(find / -path */webrick-patch.rb); do echo $f: ; grep -A2 ^CIPHERS $f ; done /usr/share/foreman-proxy/lib/webrick-patch.rb: CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.2.4/lib/smart_proxy_dynflow_core/webrick-patch.rb: CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384', 'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze >>> both bogus ciphers (ECDHE-RSA-AES128-CBC-SHA, ECDHE-RSA-AES256-CBC-SHA) are removed from code # for port in 8008 9090; do echo $port:; nmap --script +ssl-enum-ciphers $(hostname) -p $port; done ... 8008/tcp open http | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong ... 9090/tcp open zeus-admin | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | compressors: | NULL |_ least strength: strong >>> ciphers enumeration shows no difference which is expected
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454