Bug 805966 - Condor uses 3DES in SSL connections and does not use handshaked cipher
Condor uses 3DES in SSL connections and does not use handshaked cipher
Status: CLOSED WONTFIX
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: condor (Show other bugs)
2.1.1
All All
low Severity low
: ---
: ---
Assigned To: grid-maint-list
MRG Quality Engineering
:
Depends On:
Blocks: 834576
  Show dependency treegraph
 
Reported: 2012-03-22 11:09 EDT by Martin Kudlej
Modified: 2016-05-26 16:01 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-26 16:01:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kudlej 2012-03-22 11:09:18 EDT
Description of problem:

If Condor is configured to use SSL authorization, client and server negotiate cipher for symmetric encryption after handshake, for example TLS_RSA_WITH_AES_256_CBC_SHA but Condor uses 3DES after SSL handshake no matter which cipher was handshaked.

Client hello - cipher list: TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA, TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Server hello - cipher list: TLS_RSA_WITH_AES_256_CBC_SHA

Version-Release number of selected component (if applicable):
condor-7.6.5-0.12

How reproducible:
100%

Steps to Reproduce:
1. install condor
2. set configuration below
3. use your favorite packet sniffer to analyze Condor network activity
  
Actual results:
Condor uses 3DES instead of handshaked cipher.

Expected results:
Condor will use openssl(on Linux) for SSL handshake and also for symmetric communication after handshake. Condor will not use 3DES after SSL handskahe for SSL connections. Condor will use 3DES via openssl library only if it is handshaked by client and server vie SSL handshake.

Additional info:
Configuration:
ALL_DEBUG=D_PRIV | D_NETWORK | D_SECURITY
ABORT_ON_EXCEPTION=true
#restrict ports for easier sniffing
IN_LOWPORT=40000
IN_HIGHPORT=41000
#client
OUT_LOWPORT=60000
OUT_HIGHPORT=61000
#disable authorization
ALLOW_READ=*
ALLOW_WRITE=*
ALLOW_ADMINISTRATOR=*
ALLOW_CONFIG=*
ALLOW_SOAP=*
ALLOW_OWNER=*
ALLOW_NEGOTIATOR=*
ALLOW_DAEMON=*
ALLOW_ADVERTISE_MASTER=*
ALLOW_ADVERTISE_STARTD=*
ALLOW_ADVERTISE_SCHEDD=*
ALLOW_CLIENT=*
#integrity clear
SEC_DEFAULT_INTEGRITY=NEVER
SEC_CLIENT_INTEGRITY=NEVER
SEC_READ_INTEGRITY=NEVER
SEC_WRITE_INTEGRITY=NEVER
SEC_ADMINISTRATOR_INTEGRITY=NEVER
SEC_CONFIG_INTEGRITY=NEVER
SEC_OWNER_INTEGRITY=NEVER
SEC_DAEMON_INTEGRITY=NEVER
SEC_NEGOTIATOR_INTEGRITY=NEVER
SEC_ADVERTISE_MASTER_INTEGRITY=NEVER
SEC_ADVERTISE_STARTD_INTEGRITY=NEVER
SEC_ADVERTISE_SCHEDD_INTEGRITY=NEVER
#encryption clear
SEC_DEFAULT_ENCRYPTION=NEVER
SEC_CLIENT_ENCRYPTION=NEVER
SEC_READ_ENCRYPTION=NEVER
SEC_WRITE_ENCRYPTION=NEVER
SEC_ADMINISTRATOR_ENCRYPTION=NEVER
SEC_CONFIG_ENCRYPTION=NEVER
SEC_OWNER_ENCRYPTION=NEVER
SEC_DAEMON_ENCRYPTION=NEVER
SEC_NEGOTIATOR_ENCRYPTION=NEVER
SEC_ADVERTISE_MASTER_ENCRYPTION=NEVER
SEC_ADVERTISE_STARTD_ENCRYPTION=NEVER
SEC_ADVERTISE_SCHEDD_ENCRYPTION=NEVER

SEC_DEFAULT_CRYPTO_METHODS=3DES
SEC_CLIENT_CRYPTO_METHODS=3DES
SEC_READ_CRYPTO_METHODS=3DES
SEC_WRITE_CRYPTO_METHODS=3DES
SEC_ADMINISTRATOR_CRYPTO_METHODS=3DES
SEC_CONFIG_CRYPTO_METHODS=3DES
SEC_OWNER_CRYPTO_METHODS=3DES
SEC_DAEMON_CRYPTO_METHODS=3DES
SEC_NEGOTIATOR_CRYPTO_METHODS=3DES
SEC_ADVERTISE_MASTER_CRYPTO_METHODS=3DES
SEC_ADVERTISE_STARTD_CRYPTO_METHODS=3DES
SEC_ADVERTISE_SCHEDD_CRYPTO_METHODS=3DES
#authentication
SEC_DEFAULT_AUTHENTICATION=REQUIRED
SEC_CLIENT_AUTHENTICATION=REQUIRED
SEC_READ_AUTHENTICATION=REQUIRED
SEC_WRITE_AUTHENTICATION=REQUIRED
SEC_ADMINISTRATOR_AUTHENTICATION=REQUIRED
SEC_CONFIG_AUTHENTICATION=REQUIRED
SEC_OWNER_AUTHENTICATION=REQUIRED
SEC_DAEMON_AUTHENTICATION=REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION=REQUIRED
SEC_ADVERTISE_MASTER_AUTHENTICATION=REQUIRED
SEC_ADVERTISE_STARTD_AUTHENTICATION=REQUIRED
SEC_ADVERTISE_SCHEDD_AUTHENTICATION=REQUIRED

#auth method
SEC_DEFAULT_AUTHENTICATION_METHODS=SSL
SEC_CLIENT_AUTHENTICATION_METHODS=SSL
SEC_READ_AUTHENTICATION_METHODS=SSL
SEC_WRITE_AUTHENTICATION_METHODS=SSL
SEC_ADMINISTRATOR_AUTHENTICATION_METHODS=SSL
SEC_CONFIG_AUTHENTICATION_METHODS=SSL
SEC_OWNER_AUTHENTICATION_METHODS=SSL
SEC_DAEMON_AUTHENTICATION_METHODS=SSL
SEC_NEGOTIATOR_AUTHENTICATION_METHODS=SSL
SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS=SSL
SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS=SSL
SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS=SSL

#ssl
AUTH_SSL_SERVER_CAFILE=/root/certs/ca.crt
AUTH_SSL_CLIENT_CAFILE=/root/certs/ca.crt
AUTH_SSL_SERVER_CADIR=/root/certs/
AUTH_SSL_CLIENT_CADIR=/root/certs/
AUTH_SSL_CLIENT_CERTFILE=/root/certs/client.crt
AUTH_SSL_SERVER_CERTFILE=/root/certs/server.crt
AUTH_SSL_CLIENT_KEYFILE=/root/certs/client.key
AUTH_SSL_SERVER_KEYFILE=/root/certs/server.key
Comment 1 Timothy St. Clair 2012-03-28 12:59:12 EDT
Response from upstream: 

zmiller: 
to be clear, this was the intended behavior.  SSL is used for
authentication only.  

(fyi, condor can also use blowfish.  but no ciphers other than 3DES and
 blowfish are supported at this point.  i believe this is document as such
 in the SEC_DEFAULT_ENCRYPTION_METHODS section.  also, ian alderman added
 support for some additional features which sadly never got merged to the
 master branch.  perhaps it's time to revisit that)

tannenba: 

FWIW, the reasoning/justification for this approach is described in this 
research paper:

http://research.cs.wisc.edu/condor/doc/flexible_sessions.pdf

-------------------------------------------------------
It looks like this is not a bug at all... I'm going to mark as needinfo to allow a response.

Note You need to log in before you can comment on or make changes to this bug.