Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2134436 - [RFE] Let Apache adhere to system crypto policies
Summary: [RFE] Let Apache adhere to system crypto policies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.11.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: 6.14.0
Assignee: Ewoud Kohl van Wijngaarden
QA Contact: Griffin Sullivan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-13 12:24 UTC by Ganesh Payelkar
Modified: 2024-12-20 21:42 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-08 14:18:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 35629 0 Normal Closed Default Apache to use system ciphers via PROFILE=system 2022-11-07 12:54:17 UTC
Red Hat Issue Tracker SAT-17460 0 None None None 2023-05-01 19:47:36 UTC
Red Hat Product Errata RHSA-2023:6818 0 None None None 2023-11-08 14:18:20 UTC

Description Ganesh Payelkar 2022-10-13 12:24:47 UTC 
Description of problem:

"Default Apache to using system ciphers" and then in the body say that both SSLCipherSuite and SSLProxyCipherSuite should default to PROFILE=system

Version-Release number of selected component (if applicable):
satellite-6.11.3

How reproducible:
Insights warning 

Actual results:

conf.d/05-foreman-ssl.conf:  SSLProxyEngine On
conf.modules.d/ssl.conf:  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
conf.modules.d/ssl.conf:  SSLProtocol ALL -TLSv1 -TLSv1.1


Expected results:


Additional info:
We are getting an insight warning for satellite 6.11 + RHEL 8 

Insights security alert 'Decreased security: httpd crypto-policies overridden' 


change the options SSLProtocol, SSLCipherSuite and SSLProxyCipherSuite in the configuration in the /etc/httpd directory.
Remove any SSLProtocol lines.
 
Change the values of SSLCipherSuite or SSLProxyCipherSuite accordingly:
 SSLCipherSuite PROFILE=SYSTEM
 SSLProxyCipherSuite PROFILE=SYSTEM
 
restart the httpd service:
  # systemctl restart httpd.service
Comment 1 Bryan Kearney 2022-10-13 16:04:31 UTC 
Upstream bug assigned to ekohlvan
Comment 2 Bryan Kearney 2022-10-13 16:04:33 UTC 
Upstream bug assigned to ekohlvan
Comment 5 Bryan Kearney 2022-10-24 20:04:23 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35629 has been resolved.
Comment 6 Griffin Sullivan 2023-05-15 17:15:35 UTC 
Verified on stream snap 

Satellite is adhering to custom system policies.

Steps:

1) Follow documentation for customizing system wide cryptographic policies with sub-policies: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#customizing-system-wide-cryptographic-policies-with-subpolicies_using-the-system-wide-cryptographic-policies

Results:

# cat /etc/crypto-policies/state/CURRENT.pol | grep rsa_size
min_rsa_size = 3072

# nmap --script ssl-enum-ciphers localhost -p 443
Starting Nmap 7.70 ( https://nmap.org ) at 2023-05-15 12:01 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Other addresses for localhost (not scanned): ::1

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Key exchange (ecdh_x25519) of lower strength than certificate key
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
Comment 7 Griffin Sullivan 2023-05-15 17:18:25 UTC 
Not writing a new test for this BZ as it has more to do with RHEL and Insights than Satellite itself. The changes made were to have Satellite follow the system's settings for crypto policies.
Comment 10 errata-xmlrpc 2023-11-08 14:18:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.14 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6818
Note You need to log in before you can comment on or make changes to this bug.