2176026 – [RFE] The usage of RC4 and 3DES old ciphers in qdrouterd should be discontinued and removed

Bug 2176026 - [RFE] The usage of RC4 and 3DES old ciphers in qdrouterd should be discontinued and removed

Summary: [RFE] The usage of RC4 and 3DES old ciphers in qdrouterd should be discontinu...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	6.13.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-07 08:10 UTC by Ganesh Payelkar
Modified:	2023-08-12 23:20 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-12 23:20:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	7001702	0	None	None	None	2023-03-08 06:35:04 UTC

Description Ganesh Payelkar 2023-03-07 08:10:14 UTC

Description of problem:

The usage of RC4 and 3DES old ciphers in qdrouterd should be discontinued and removed due to their weaknesses and known vulnerabilities that can be exploited by attackers.


Version-Release number of selected component (if applicable):
satellite-6.13.0-6
qpid-dispatch-router-1.14.0-6


How reproducible:
New installation or upgraded 


Steps to Reproduce:
1. Install 6.13 
2. Enable qdrouterd/katello-agent through 
   # satellite-installer --foreman-proxy-content-enable-katello-agent true
3. execute # nmap --script +ssl-enum-ciphers localhost -p 5646

Actual results:


Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-07 13:19 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
5646/tcp open  vfmobile
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Key exchange (dh 2048) of lower strength than certificate key
|       Key exchange (secp256r1) of lower strength than certificate key
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds



Expected results:

The usage of RC4 and 3DES old ciphers in qdrouterd should be discontinued and removed due to their weaknesses and known vulnerabilities that can be exploited by attackers.

Additional info:

** Workaround **


Edit: To disable weak ciphers for port 5646 qdrouterd

# cat /etc/foreman-installer/custom-hiera.yaml 

foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-RC4-SHA'

Save the file.
Re-run the installer on the Red Hat Satellite.

If you have external capsules, do the same as above and re-run the installer.
  # satellite-installer

How to check the list of ciphers offered by qdrouterd?
  # nmap --script +ssl-enum-ciphers localhost -p 5646
 

  # satellite-maintain service restart

  # satellite-maintain service status -b

  # hammer ping

  # foreman-maintain health check

Comment 1 Eric Helms 2023-08-12 23:20:17 UTC

Given katello-agent is deprecated, I do not expect us to address this RFE.

Note You need to log in before you can comment on or make changes to this bug.