Description of problem: Because the QEMU in RHEL-8 was derived from QEU in RHEL-7, rather than that in Fedora, it inherited the "--tls-priority=NORMAL" arg to configure. This was used in RHEL-7, because that distro lacks the crypto policies concept. In RHEL-8, however, it should have been built to use "--tls-priority=@QEMU,SYSTEM" as is done in Fedora. This would make QEMU use the "@QEMU" crypto policy profile, and if that doesn't exist, then it would use the @SYSTEM crypto policy profile. The upshot of using "NORMAL" is that QEMU is exposing the GNUTLS defaults which are undesirable because they still allow TLS-1.0 and TLS-1.1 The DEFAULT RHEL8 crypto policies only allow TLS-1.2 To illustrate create some certs for a server and then run: /usr/libexec/qemu-kvm -object tls-creds-x509,dir=/root,endpoint=server,id=tls0 -chardev socket,host=localhost,port=9000,tls-creds=tls0,id=char0,server,nowait Now in another terminal wget http://nmap.org/svn/scripts/ssl-enum-ciphers.nse nmap --script ssl-enum-ciphers -p9000 localhost In the results you will see TLS-1.0, 1.1 and 1.2. If /etc/crypto-policies/config is set to DEFAULT, it should only report TLS 1.2 Version-Release number of selected component (if applicable): qemu-kvm-4.2.0-19.module+el8.2.0+6296+6b821950.x86_64 How reproducible: Always Steps to Reproduce: 1. Run QEMU with a chardev using TLS 2. Scan algorithms exposed by QEMU Actual results: Includes TLS 1.0 and 1.1 Expected results: Should honour /etc/crypto-policies/config and only expose TLS_1.2 for "DEFAULT" Additional info:
To help QE, here's a bit of further explanation about expected behaviour with: --tls-priority=@QEMU,SYSTEM "SYSTEM" refers to the profile defined in /etc/crypto-policies/config, which is "DEFAULT" normally. It is possible to create a local override, eg to turn back on TLS-1.1 # cat /etc/crypto-policies/local.d/gnutls-qemu.config QEMU=NONE:+MAC-ALL:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:+VERS-SSL3.0:-VERS-TLS1.0:+VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM # update-crypto-policies If QEMU is restarted, it will now honour this custom override and advertize TLS-1.1 and TLS-1.2, instead of the "SYSTEM" settings which only advertize TLS-1.2
QA_ACK, please?
(In reply to Danilo Cesar Lemes de Paula from comment #3) > QA_ACK, please? Done, thanks. Best regards Liu Nana
Test with qemu-kvm-5.2.0-6.module+el8.4.0+9871+53903be9 PASS. Test environments: intel-jacobsville-01.khw1.lab.eng.bos.redhat.com qemu-kvm-5.2.0-6.module+el8.4.0+9871+53903be9.x86_64 kernel-4.18.0-289.el8.x86_64 Test steps: 1. Run QEMU with a chardev using TLS #/usr/libexec/qemu-kvm -object tls-creds-x509,dir=/etc/pki/qemu/,endpoint=server,id=tls0 -chardev socket,host=localhost,port=9000,tls-creds=tls0,id=char0,server,nowait --monitor stdio 2. Scan algorithms exposed by QEMU # nmap --script ssl-enum-ciphers -p9000 localhost Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 02:04 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000064s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 9000/tcp open cslistener | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_128_CCM (rsa 3072) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_256_CCM (rsa 3072) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 2048) of lower strength than certificate key |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 1.68 seconds 3. additional info: # cat /etc/crypto-policies/config DEFAULT Can we move this bug to VERIFIED with the above test? Please help to check this, thanks. Best regards Liu Nana
(In reply to liunana from comment #10) > 3. additional info: > # cat /etc/crypto-policies/config > DEFAULT > > Can we move this bug to VERIFIED with the above test? I'd like to see two more scenarios. - CHange /etc/crypto-policies/config to "LEGACY", and use nmap to show that new QEMU honours the change - Add a local custom QEMU policy in /etc/crypto-policies/local.d/gnutls-qemu.config, as described in comment #1, and show that QEMU honours this instead of the default crypoto-policies setting.
(In reply to Daniel Berrangé from comment #11) > (In reply to liunana from comment #10) > > 3. additional info: > > # cat /etc/crypto-policies/config > > DEFAULT > > > > Can we move this bug to VERIFIED with the above test? > > I'd like to see two more scenarios. > > - CHange /etc/crypto-policies/config to "LEGACY", and use nmap to show > that new QEMU honours the change Steps: 1). # echo LEGACY > /etc/crypto-policies/config 2). # update-crypto-policies Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. 3). # nmap --script ssl-enum-ciphers -p9000 localhost Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 14:15 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000062s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 9000/tcp open cslistener | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_128_CCM (rsa 3072) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_256_CCM (rsa 3072) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 2048) of lower strength than certificate key |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds 4). # cat /etc/crypto-policies/config LEGACY > > - Add a local custom QEMU policy in > /etc/crypto-policies/local.d/gnutls-qemu.config, as described in comment #1, > and show that QEMU honours this instead of the default crypoto-policies > setting. Steps: 1). # cat /etc/crypto-policies/local.d/gnutls-qemu.config QEMU=NONE:+MAC-ALL:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN-EDDSA-ED448:+CIPHER-ALL:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:+VERS-SSL3.0:-VERS-TLS1.0:+VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM 2). # update-crypto-policies Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. 3)# nmap --script ssl-enum-ciphers -p9000 localhost Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 14:20 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000079s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 9000/tcp open cslistener | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 2048) of lower strength than certificate key |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds 4). # cat /etc/crypto-policies/config LEGACY Are those results expected? Please help to check this, thanks. Best regards Liu Nana
(In reply to liunana from comment #12) > Steps: > 1). # echo LEGACY > /etc/crypto-policies/config > > 2). # update-crypto-policies > Setting system policy to LEGACY > Note: System-wide crypto policies are applied on application start-up. > It is recommended to restart the system for the change of policies > to fully take place. > > 3). # nmap --script ssl-enum-ciphers -p9000 localhost > Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 14:15 EST > Nmap scan report for localhost (127.0.0.1) > Host is up (0.000062s latency). > Other addresses for localhost (not scanned): ::1 > > PORT STATE SERVICE > 9000/tcp open cslistener > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A > | TLS_RSA_WITH_AES_128_CCM (rsa 3072) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A > | TLS_RSA_WITH_AES_256_CCM (rsa 3072) - A > | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A > | compressors: > | NULL > | cipher preference: client > | warnings: > | Key exchange (dh 2048) of lower strength than certificate key > |_ least strength: A > > Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds > > 4). # cat /etc/crypto-policies/config > LEGACY This doesn't look right. QEMU should offer TLS 1.0, 1.1 and 1.2 when "LEGACY" is set. When I test it does the right thing, so I suspect you didn't run "update-crypto-policies" after changing to LEGACY. > > - Add a local custom QEMU policy in > > /etc/crypto-policies/local.d/gnutls-qemu.config, as described in comment #1, > > and show that QEMU honours this instead of the default crypoto-policies > > setting. > > Steps: > 1). # cat /etc/crypto-policies/local.d/gnutls-qemu.config > QEMU=NONE:+MAC-ALL:-MD5:+GROUP-ALL:-GROUP-X25519:-GROUP-X448:+SIGN-ALL:-SIGN- > RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:-SIGN-DSA-SHA224:- > SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:-SIGN-EDDSA-ED25519:-SIGN- > EDDSA-ED448:+CIPHER-ALL:-CHACHA20-POLY1305:-CAMELLIA-256-GCM:-CAMELLIA-128- > GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA: > +ECDHE-ECDSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:+VERS-SSL3.0:-VERS-TLS1.0: > +VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM > > 2). # update-crypto-policies > Setting system policy to LEGACY > Note: System-wide crypto policies are applied on application start-up. > It is recommended to restart the system for the change of policies > to fully take place. > > 3)# nmap --script ssl-enum-ciphers -p9000 localhost > Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 14:20 EST > Nmap scan report for localhost (127.0.0.1) > Host is up (0.000079s latency). > Other addresses for localhost (not scanned): ::1 > > PORT STATE SERVICE > 9000/tcp open cslistener > | ssl-enum-ciphers: > | TLSv1.1: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > | compressors: > | NULL > | cipher preference: client > | warnings: > | Key exchange (dh 2048) of lower strength than certificate key > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > | compressors: > | NULL > | cipher preference: client > | warnings: > | Key exchange (dh 2048) of lower strength than certificate key > |_ least strength: A > > Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds > > 4). # cat /etc/crypto-policies/config > LEGACY This result is good - it shows TLS1.1 which your custom QEMU policy added.
(In reply to Daniel Berrangé from comment #13) > (In reply to liunana from comment #12) > > Steps: > > 1). # echo LEGACY > /etc/crypto-policies/config > > > > 2). # update-crypto-policies > > Setting system policy to LEGACY > > Note: System-wide crypto policies are applied on application start-up. > > It is recommended to restart the system for the change of policies > > to fully take place. > > > > 3). # nmap --script ssl-enum-ciphers -p9000 localhost > > Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 14:15 EST > > Nmap scan report for localhost (127.0.0.1) > > Host is up (0.000062s latency). > > Other addresses for localhost (not scanned): ::1 > > > > PORT STATE SERVICE > > 9000/tcp open cslistener > > | ssl-enum-ciphers: > > | TLSv1.2: > > | ciphers: > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A > > | TLS_RSA_WITH_AES_128_CCM (rsa 3072) - A > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A > > | TLS_RSA_WITH_AES_256_CCM (rsa 3072) - A > > | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A > > | compressors: > > | NULL > > | cipher preference: client > > | warnings: > > | Key exchange (dh 2048) of lower strength than certificate key > > |_ least strength: A > > > > Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds > > > > 4). # cat /etc/crypto-policies/config > > LEGACY > > This doesn't look right. QEMU should offer TLS 1.0, 1.1 and 1.2 when > "LEGACY" is set. When I test it does the right thing, so I suspect you > didn't run "update-crypto-policies" after changing to LEGACY. > Sorry, I didn't restart the QEMU after the command "update-crypto-policies". I can get the expected result after restarting the QEMU. # nmap --script ssl-enum-ciphers -p9000 localhost Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-20 02:09 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000078s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 9000/tcp open cslistener | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 3072) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_RC4_128_SHA (rsa 3072) - C | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 3072) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_RC4_128_SHA (rsa 3072) - C | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 3072) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_128_CCM (rsa 3072) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 3072) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 3072) - A | TLS_RSA_WITH_AES_256_CCM (rsa 3072) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072) - A | TLS_RSA_WITH_RC4_128_SHA (rsa 3072) - C | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Key exchange (dh 2048) of lower strength than certificate key |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 4.00 seconds Please help to check, thanks. Best regards Liu Nana
This looks good now.
Move to VERIFIED according to comment 12 ~ comment 15.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2098