Bug 1755614 - SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA' which are not listed or need to modify according to IANA names
Summary: SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-S...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Capsule
Version: 6.6.0
Hardware: x86_64
OS: Linux
medium
medium vote
Target Milestone: 6.7.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-25 20:11 UTC by Ganesh Payelkar
Modified: 2020-04-14 13:26 UTC (History)
9 users (show)

Fixed In Version: tfm-rubygem-smart_proxy_dynflow_core-0.2.4,foreman-proxy-1.24.0-0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:26:00 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 27865 Normal Closed Previous definition and unused CBC ciphers 2020-05-08 17:14:24 UTC
Foreman Issue Tracker 27993 Normal Closed Remove unused CBC ciphers 2020-05-08 17:14:24 UTC
Red Hat Product Errata RHSA-2020:1454 None None None 2020-04-14 13:26:11 UTC

Description Ganesh Payelkar 2019-09-25 20:11:26 UTC
Description of problem:

SmartProxy and Foreman-proxy uses OpenSSL cipher name 'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA' which are not listed or need to modify according to IANA names

Version-Release number of selected component (if applicable):
satellite-6.6.0-6.el7sat.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install new satellite 6.6
2. Check which ciphers listed for 8008 and 9090
3. 

Actual results:

# diff /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.2.2/lib/smart_proxy_dynflow_core/webrick-patch.rb /usr/share/foreman-proxy/lib/webrick-patch.rb
3,6c3,6
< CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384',
<            'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-RSA-AES256-CBC-SHA',
<            'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256',
<            'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze
---
> CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256','ECDHE-RSA-AES256-GCM-SHA384',
>            'ECDHE-RSA-AES128-CBC-SHA','ECDHE-RSA-AES256-CBC-SHA',
>            'AES128-GCM-SHA256','AES256-GCM-SHA384','AES128-SHA256',
>            'AES256-SHA256','AES128-SHA','AES256-SHA']
10d9
<     # rubocop:disable Metrics/AbcSize
15c14
<         cert, key = Utils.create_self_signed_cert(1024, cn, comment)
---
>         cert, key = Utils::create_self_signed_cert(1024, cn, comment)
21c20
<       ctx.ciphers = (CIPHERS - SmartProxyDynflowCore::Settings.instance.ssl_disabled_ciphers).join(':')
---
>       ctx.ciphers = (CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers).join(':')
37d35
<     # rubocop:enable Metrics/AbcSize
 
 
==============================================================================
# for port in 8008 9090; do echo $port:; nmap --script +ssl-enum-ciphers localhost -p $port; done
8008:
 
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-25 23:54 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
8008/tcp open  http
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong
 
Nmap done: 1 IP address (1 host up) scanned in 3.73 seconds
9090:
 
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-25 23:54 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
9090/tcp open  zeus-admin
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong
 
Nmap done: 1 IP address (1 host up) scanned in 3.93 seconds


Expected results:

We should have correct ciphers listed and is used for internal components.

Additional info: 

There is no such ciphers 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-RSA-AES256-CBC-SHA' listed in
https://testssl.sh/openssl-iana.mapping.html
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

I see below Openssl cipher name and  related IANA name if these we were trying to add: 

ECDHE-RSA-AES128-SHA	ECDH	AES	128	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA	ECDH	AES	256	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Comment 7 Lukas Zapletal 2019-10-03 06:39:15 UTC
Thanks I will go ahead and delete those two guys from the list.

Comment 8 Lukas Zapletal 2019-10-03 06:40:09 UTC
Created redmine issue https://projects.theforeman.org/issues/27993 from this bug

Comment 9 Bryan Kearney 2019-10-21 14:06:41 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27993 has been resolved.

Comment 12 Lukas Pramuk 2019-11-29 09:57:48 UTC
VERIFIED.

@satellite-6.7.0-4.beta.el7sat.noarch
foreman-proxy-1.24.0-0.4.RC2.el7sat.noarch
tfm-rubygem-smart_proxy_dynflow_core-0.2.4-1.el7sat.noarch

by following sanity checks:

# for f in $(find / -path */webrick-patch.rb); do echo $f: ; grep -A2 ^CIPHERS $f ; done
/usr/share/foreman-proxy/lib/webrick-patch.rb:
CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384',
           'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256',
           'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze
/opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.2.4/lib/smart_proxy_dynflow_core/webrick-patch.rb:
CIPHERS = ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384',
           'AES128-GCM-SHA256', 'AES256-GCM-SHA384', 'AES128-SHA256',
           'AES256-SHA256', 'AES128-SHA', 'AES256-SHA'].freeze

>>> both bogus ciphers (ECDHE-RSA-AES128-CBC-SHA, ECDHE-RSA-AES256-CBC-SHA) are removed from code

# for port in 8008 9090; do echo $port:; nmap --script +ssl-enum-ciphers $(hostname) -p $port; done
...

8008/tcp open  http
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong
...

9090/tcp open  zeus-admin
| ssl-enum-ciphers: 
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong


>>> ciphers enumeration shows no difference which is expected

Comment 15 errata-xmlrpc 2020-04-14 13:26:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454


Note You need to log in before you can comment on or make changes to this bug.