Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2117842

Summary: 6.9 -> 6.10 upgrade failed on Candlepin: Failed to open TCP connection to localhost:23443 due to disabling week encryption on tomcat
Product: Red Hat Satellite Reporter: matt jia <mjia>
Component: InstallationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED NOTABUG QA Contact: Gaurav Talreja <gtalreja>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.10.0CC: ekohlvan
Target Milestone: 6.12.0Keywords: Triaged, Upgrades
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-16 08:33:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description matt jia 2022-08-12 05:31:31 UTC 
Description of problem:

Satellite is configured to disable Weak SSL 2.0 and SSL 3.0 Encryption:

# Tomcat / Candlepin
candlepin::tls_versions: [ '1.2', '1.3' ]

in /etc/foreman-installer/custom-hiera.yaml.

This works fine until 6.10 upgrade. Tomcat has below error:

EVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-127.0.0.1-23443"]
java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.<init>(JSSESocketFactory.java:138)
        at org.apache.tomcat.util.net.jsse.JSSEImplementation.getServerSocketFactory(JSSEImplementation.java:47)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:390)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)

This seems like sslProtocol in server.xml no longer allows an input as sslProtocol="TLSv1.2, TLSv1.3".

After commenting out 

candlepin::tls_versions: [ '1.2', '1.3' ],

the upgrade completes successfully.

Version-Release number of selected component (if applicable):

How reproducible:

Easy


Steps to Reproduce:
1. update /etc/foreman-installer/custom-hiera.yaml with candlepin::tls_versions: [ '1.2', '1.3' ]
2. run satellite-installer
3.

Actual results:

candlepin failed

Expected results:

With candlepin::tls_versions: [ '1.2', '1.3' ], satellite-installer perhaps should only update the sslEnabledProtocols on server.xml.

Additional info:
Comment 1 Ewoud Kohl van Wijngaarden 2022-08-15 14:16:17 UTC 
> Satellite is configured to disable Weak SSL 2.0 and SSL 3.0 Encryption:
> 
> # Tomcat / Candlepin
> candlepin::tls_versions: [ '1.2', '1.3' ]
> 
> in /etc/foreman-installer/custom-hiera.yaml.

This was never needed to disable SSL 2.0 and 3.0. Since the parameter was introduced (https://github.com/theforeman/puppet-candlepin/commit/d749ba5f8961401cb221598bf93839ba67e95eb1) it (by default) only allowed TLS 1.1 and 1.2.

Since https://github.com/theforeman/puppet-candlepin/commit/1243c9779d88a61e8b83f8b533ed358ec6d60b4c (Foreman 2.1, Satellite 6.8) it defaulted to disabling TLS 1.1.

> This works fine until 6.10 upgrade. Tomcat has below error:
> 
> EVERE: Failed to initialize end point associated with ProtocolHandler
> ["http-bio-127.0.0.1-23443"]
> java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException:
> TLSv1.2,TLSv1.3 SSLContext not available
>         at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.<init>(JSSESocketFactory.
> java:138)
>         at
> org.apache.tomcat.util.net.jsse.JSSEImplementation.
> getServerSocketFactory(JSSEImplementation.java:47)
>         at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:390)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
>         at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.
> init(AbstractHttp11JsseProtocol.java:119)
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
>         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:
> 560)
>         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>         at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
> 
> This seems like sslProtocol in server.xml no longer allows an input as
> sslProtocol="TLSv1.2, TLSv1.3".

I think it doesn't support TLSv1.3. I'm not sure it ever worked, possibly it just silently ignored it.

> After commenting out 
> 
> candlepin::tls_versions: [ '1.2', '1.3' ],
> 
> the upgrade completes successfully.

This is what you should do, unless you really need TLS 1.3 but I'd consider that an RFE.
Comment 2 matt jia 2022-08-15 22:48:45 UTC 
(In reply to Ewoud Kohl van Wijngaarden from comment #1)
> https://github.com/theforeman/puppet-candlepin/commit/
> 1243c9779d88a61e8b83f8b533ed358ec6d60b4c (Foreman 2.1, Satellite 6.8) it
> defaulted to disabling TLS 1.1.

Okay, that makes sense.

> This is what you should do, unless you really need TLS 1.3 but I'd consider
> that an RFE.

Right, customers like banks need this feature. I guess we could ditch sslProtocol and use sslEnabledProtocols only as per:

https://confluence.atlassian.com/jirakb/how-to-change-the-ssl-tls-protocols-used-by-tomcat-680395044.html

I'd file a RFE for that. Feel to close this one if you want.

Thanks,
Matt
Comment 3 Ewoud Kohl van Wijngaarden 2022-08-16 08:33:28 UTC 
(In reply to matt jia from comment #2)
> (In reply to Ewoud Kohl van Wijngaarden from comment #1)
> > This is what you should do, unless you really need TLS 1.3 but I'd consider
> > that an RFE.
> 
> Right, customers like banks need this feature. I guess we could ditch
> sslProtocol and use sslEnabledProtocols only as per:
> 
> https://confluence.atlassian.com/jirakb/how-to-change-the-ssl-tls-protocols-
> used-by-tomcat-680395044.html

This is an interesting one. I'll have a closer look.

> I'd file a RFE for that. Feel to close this one if you want.

I've opened https://github.com/theforeman/puppet-candlepin/pull/223 to see if TLS 1.3 does work by enabling it by default. My suspicion is that you need to be on RHEL 8. We saw the same thing with Apache: RHEL 7 is simply too old.