Description of problem: "Default Apache to using system ciphers" and then in the body say that both SSLCipherSuite and SSLProxyCipherSuite should default to PROFILE=system Version-Release number of selected component (if applicable): satellite-6.11.3 How reproducible: Insights warning Actual results: conf.d/05-foreman-ssl.conf: SSLProxyEngine On conf.modules.d/ssl.conf: SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 conf.modules.d/ssl.conf: SSLProtocol ALL -TLSv1 -TLSv1.1 Expected results: Additional info: We are getting an insight warning for satellite 6.11 + RHEL 8 Insights security alert 'Decreased security: httpd crypto-policies overridden' change the options SSLProtocol, SSLCipherSuite and SSLProxyCipherSuite in the configuration in the /etc/httpd directory. Remove any SSLProtocol lines. Change the values of SSLCipherSuite or SSLProxyCipherSuite accordingly: SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM restart the httpd service: # systemctl restart httpd.service
Upstream bug assigned to ekohlvan
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35629 has been resolved.
Verified on stream snap Satellite is adhering to custom system policies. Steps: 1) Follow documentation for customizing system wide cryptographic policies with sub-policies: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#customizing-system-wide-cryptographic-policies-with-subpolicies_using-the-system-wide-cryptographic-policies Results: # cat /etc/crypto-policies/state/CURRENT.pol | grep rsa_size min_rsa_size = 3072 # nmap --script ssl-enum-ciphers localhost -p 443 Starting Nmap 7.70 ( https://nmap.org ) at 2023-05-15 12:01 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.00014s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A | compressors: | NULL | cipher preference: server | warnings: | Key exchange (ecdh_x25519) of lower strength than certificate key |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
Not writing a new test for this BZ as it has more to do with RHEL and Insights than Satellite itself. The changes made were to have Satellite follow the system's settings for crypto policies.