Bug 1950475 - Disable SSLInsecureRenegotiation by default
Summary: Disable SSLInsecureRenegotiation by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.8.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: 6.9.3
Assignee: satellite6-bugs
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-16 17:17 UTC by Paul Dudley
Modified: 2022-04-19 21:50 UTC (History)
5 users (show)

Fixed In Version: foreman-installer-2.3.1.15-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-01 14:56:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 32762 0 Normal New Disable SSLInsecureRenegotiation by default 2021-06-08 18:27:15 UTC
Red Hat Product Errata RHBA-2021:2636 0 None None None 2021-07-01 14:57:24 UTC

Description Paul Dudley 2021-04-16 17:17:19 UTC 
By default SSLInsecureRenegotiation is enabled here:
~~~
[root@iridium ~]# vi /etc/httpd/conf.d/10-pulp.conf

# allow older yum clients to connect, see bz 647828
SSLInsecureRenegotiation on
~~~

It looks like in bz 1174942 we already wanted to have this disabled, but it's still enabled by default even in Satellite 6.8.

If we still have reason to enable this by default then perhaps an installer option to disable it, or changing the value via custom-hiera if it can be edited there.
Comment 1 Paul Dudley 2021-04-16 17:32:14 UTC 
For now this can be turned off and made persistent by editing /usr/share/foreman-installer/modules/pulp/templates/pulp.conf.erb:
~~~
[root@iridium ~]# vi /usr/share/foreman-installer/modules/pulp/templates/pulp.conf.erb

# allow older yum clients to connect, see bz 647828
SSLInsecureRenegotiation off <-- make this change from on to off

Run the installer and it remains off:
[root@iridium ~]# grep -ir SSLInsecureRenegotiation /etc/httpd/
/etc/httpd/conf.d/10-pulp.conf:SSLInsecureRenegotiation off
~~~
Comment 2 wclark 2021-06-08 18:27:14 UTC 
Created redmine issue https://projects.theforeman.org/issues/32762 from this bug
Comment 3 Bryan Kearney 2021-06-09 16:04:49 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/32762 has been resolved.
Comment 5 Devendra Singh 2021-06-14 10:41:49 UTC 
Verified on 6.9.3 Snap2.

Verification Points:

1- By default "SSLInsecureRenegotiation" is unavailable in /usr/share/foreman-installer/modules/pulp/templates/pulp.conf.erb and /etc/httpd/conf.d/10-pulp.conf'
# grep -ir SSLInsecureRenegotiation /etc/httpd/
[root@dhcp-3-56 ~]# 

# grep -ir SSLInsecureRenegotiation /usr/share/foreman-installer/modules/pulp/templates/pulp.conf.erb
[root@dhcp-3-56 ~]# 

2-# rpm -qa|grep foreman-installer-2.3.1.15-1
foreman-installer-2.3.1.15-1.el7sat.noarch
Comment 10 errata-xmlrpc 2021-07-01 14:56:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Satellite 6.9.3 Async Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2636
Note You need to log in before you can comment on or make changes to this bug.