Bug 2216445 - cdn_ssl_version Setting enforces at most TLS1.0 version
Summary: cdn_ssl_version Setting enforces at most TLS1.0 version
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Inter Satellite Sync
Version: 6.12.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-21 12:11 UTC by Pavel Moravec
Modified: 2023-07-20 21:21 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-19087 0 None None None 2023-07-20 21:21:33 UTC

Description Pavel Moravec 2023-06-21 12:11:00 UTC 
Description of problem:
cdn_ssl_version allows to use lower SSL/TLS version for communication via proxy *and* also with upstream Satellite as an alternative of CDN (when Network Sync ISS is used).

The setting has the only two possible values: SSLv23 and TLSv1 (1.0 is meant, per my experiments). That is 1) to coarse, 2) implemented in the way "use *exactly* that version, since:

https://github.com/katello/katello/blob/master/app/lib/katello/resources/cdn.rb#L114

sets "use this SSL/TLS version and no other (lower or higher)" (Zhenech++ ewoud++ for pointing me here)

Since Sat (at least 6.13) requires TLS1.2 as minimum, this setting(*) practically prohibits ISS.

(*) .. sometimes even when I re-set / remove the setting, which is strange; as having Setting[:cdn_ssl_version] = nil should set net.ssl_version = nil shich should not enforce anything - but per my tests, TLS1.0 is used only..?

Let have more fine-tuned setting there and allow also higher values (via s/net.ssl_version/net.min_version/ , ewoud++).


Version-Release number of selected component (if applicable):
A downstream Sat (any version) ISS-ing from 6.13 or higher (since 6.12 allows(?) TLS1.0)


How reproducible:
100%


Steps to Reproduce:
1. Set Administer -> Settings -> Content -> "CDN SSL version" to the highest possible version (TLSv1)
2. Set ISS from another Satellite 6.13 or higher: Content -> Subscriptions -> Manage Manifest -> CDN Configuration -> Network Sync -> provide upstream Sat details (incl. SSL debug cert)
3. Attempt to Update fails with some "tls mismatch" like error.

Optional scenario:
- dont have the CDN SSL version set (yet)
- set up the ISS (even here it might fail! sometimes)
- try to enable a Red Hat repo - unwrapping a repository set shows no available repo, despite the upstream Satellite has synced repos from the Repository Set (the cause is the downstream Satellite fails to contact upstream Satellite due to TLS1.0 and silently claims "no repo to offer")


Actual results:
see above


Expected results:
ISS can be configured and allows to enable a repo even when CDN SSL version config is set (to a reasonable value).


Additional info:
Comment 1 Pavel Moravec 2023-06-23 11:24:23 UTC 
Just the tiny fix does not fully work on Sat6.12:

2023-06-23T12:34:59 [I|app|778d47e8] Backtrace for 'Action failed' error (ArgumentError): unrecognized version "TLSv1"
 778d47e8 | /usr/share/ruby/openssl/ssl.rb:171:in `set_minmax_proto_version'
 778d47e8 | /usr/share/ruby/openssl/ssl.rb:171:in `min_version='
 778d47e8 | /usr/share/ruby/openssl/ssl.rb:141:in `block in set_params'

raised when I changed the code that way. I succeeded with (noob) code:

          unless @ssl_version.nil?
              net.min_version = @ssl_version == "SSLv23" ? 0 : OpenSSL::SSL::TLS1_VERSION
          end
Note You need to log in before you can comment on or make changes to this bug.