1847697 – scap stig includes wrong openssl config file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1847697 - scap stig includes wrong openssl config file

Summary: scap stig includes wrong openssl config file

Keywords:
Status:	CLOSED DUPLICATE of bug 1850543
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1836522 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-16 20:00 UTC by Silvan Nagl
Modified:	2020-09-23 10:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-06-25 06:57:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Silvan Nagl 2020-06-16 20:00:34 UTC

Recently my server upgraded dovecot from 1:2.2.36-10.el8 to 1:2.3.8-2.el8 breaking imaps completely.
According to documentation I added ssl_dh which points to a tested valid file.
No other changes have been done to the previous server configuration. 


X X dovecot[X]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=X, lip=X, session=<X>
X X dovecot[X]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=X, lip=X, session=<X>


config:
doveconf -n

auth_mechanisms = login
first_valid_uid = 1000
mail_location = maildir:~/mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = imap
ssl = required
ssl_cert = </etc/letsencrypt/live/X/fullchain.pem
ssl_cipher_list = PROFILE=SYSTEM
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  driver = passwd
}
verbose_ssl = yes

Comment 1 Silvan Nagl 2020-06-17 17:06:49 UTC

Now I just erased everything including all configs, reinstalled them and still.
Same Error.

Comment 2 Michal Hlavinka 2020-06-17 20:15:09 UTC

I can't reproduce this. When trying to install old, set it up, test, upgrade, test... I just had to regenerate dh data
# openssl dhparam -out /etc/dovecot/dh.pem 4096
and it worked. Even before it, error message was

"""imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user......"""

I'm testing IMAPS connection with:
openssl s_client -connect localhost:993

Your error message seems odd. What is your crypto policy?
/etc/crypto-policies/config

Try changing /etc/dovecot/conf.d/10-ssl.conf ssl_cipher_list value:

ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

If it does not help, could you test default installation with self signed certificate? (it's automatically created)

Comment 3 Silvan Nagl 2020-06-18 17:49:24 UTC

I did:

dnf erase dovecot
rm -rf /etc/dovecot
dnf install dovecot

cat /etc/crypto-policies/config
DEFAULT

doveconf -Pn
# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# OS: Linux 4.18.0-147.8.1.el8_1.x86_64 x86_64 CentOS Linux release 8.2.2004 (Core)
# Hostname: XXXX
first_valid_uid = 1000
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_dh = </etc/dovecot/dh.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}


openssl s_client -connect localhost:993
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 301 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Jun 18 19:47:55 53c70r dovecot[10139]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=200.146.227.146, lip=5.181.49.190, session=<JMdgYF+oht/IkuOS>
Jun 18 19:47:55 53c70r dovecot[10139]: imap-login: Disconnected: TLS initialization failed. (no auth attempts in 7 secs): user=<>, rip=200.146.227.146, lip=5.181.49.190, session=<JMdgYF+oht/IkuOS>
Jun 18 19:48:13 53c70r dovecot[10139]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8: user=<>, rip=::1, lip=::1, secured, session=<+KRwYV+o/pEAAAAAAAAAAAAAAAAAAAAB>

Comment 4 Michal Hlavinka 2020-06-19 08:42:33 UTC

There seems like some steps missing in your last reproducer, this would generate:
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 55: ssl_dh: Can't open file /etc/dovecot/dh.pem: No such file or directory

how did you create dh.pem ? I've used command from 10-ssl.conf
openssl dhparam -out /etc/dovecot/dh.pem 4096

and it works fine
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready.

I'm testing this on latest rhel8, can't get centos8 machine atm, will retry later.
What openssl version do you have on your system?
# rpm -q openssl

Comment 5 Silvan Nagl 2020-06-20 16:42:46 UTC

I do use my dh params from my web server so it loads fine and i even tested it with openssl again.
The error message clearly tells it is trying to do something with the certificate not even touching the dh param file at all.
Anyhow i just regenerated it.
Still shows the same error.

rpm -q openssl
openssl-1.1.1c-15.el8.x86_64

Comment 6 Silvan Nagl 2020-06-20 18:50:08 UTC

I now downgraded to dovecot-1:2.2.36-10.el8.x86_64 again and it works absolutely fine.
I'm kinda disappointed that surprisingly it wasn't a config failure but a upgrade to a newer dovecot which just broke my mail server.

Comment 7 Michal Hlavinka 2020-06-23 09:09:58 UTC

I've tried several combinations with older and new openssl versions, all with selinux enabled, even tested with FIPS mode and it works all the time. You are either doing something different or your system has some unusual configuration. Which seems probable as so far I do not see anyone else having similar issue. Do you have any idea why your system could be special? Do you have fully updated system with either correctly (re)labeled selinux context or permissive selinux? Do you see any other errors in your logs that could be in any way related to this or that could indicate what is different?

Comment 8 Silvan Nagl 2020-06-23 20:26:19 UTC

The system has fapolicyd enabled and it uses [DRAFT] DISA STIG for Red Hat Enterprise Linux 8

Additional boot params are in place; slab_nomerge slub_debug=FZP vsyscall=none vm.mmap_rnd_compat_bits mds=full,nosmt fips=0

Comment 9 Michal Hlavinka 2020-06-24 13:34:26 UTC

That is quite significant information. I can reproduce this when I do remediate_openssl_crypto_policy from scap stig configuration:
https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh

This updates /etc/pki/tls/openssl.cnf  [crypto_policy] section

and includes
/etc/crypto-policies/back-ends/openssl.config

but this file has wrong format:

@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:.....

instead of correct format in /etc/crypto-policies/back-ends/opensslcnf.config:

CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:....

and this causes the error you see:
error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=@SECLEVEL, arg=2:kEECDH:kRSA:kEDH:.....

In short: scap should include /etc/crypto-policies/back-ends/opensslcnf.config instead (notice opensslcnf.config instead of openssl.config)

I'm reassigning this to scap-security-guide

---------
@Silvan: 
You will have to update  /etc/pki/tls/openssl.cnf to make sure correct file is included.

Comment 10 Silvan Nagl 2020-06-24 15:54:14 UTC

O wow, this conclusion was perfect. I really appreciate your work!
Thx a lot.

Comment 11 Vojtech Polasek 2020-06-25 06:57:53 UTC

Hello Silvan, thank you for reporting this. Coincidentally we received a duplicate bug just now, therefore closing this as duplicate. Please kindly follow progress in the other bug.

*** This bug has been marked as a duplicate of bug 1850543 ***

Comment 12 Michal Hlavinka 2020-09-23 10:51:45 UTC

*** Bug 1836522 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.