Bug #17078

smart_proxy_dynflow_core weak cipher

Added by Ivan Necas 7 months ago. Updated 6 months ago.

Status:Closed
Priority:Normal
Assigned To:Adam Ruzicka
Category:Smart Proxy Dynflow
Target version:Foreman - Team Ivan Iteration 6
Difficulty: Pull request:https://github.com/theforeman/smart_proxy_dynflow/pull/27
Bugzilla link:1388198
Story points-
Velocity based estimate-

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1388198
Description of problem:Security scan detected a weak cipher within smart_proxy_dynflow_core service (port 8008)

Version-Release number of selected component (if applicable): 0.1.3-1.el7

How reproducible:
ALWAYS

Steps to Reproduce:
1. systemctl start smart_proxy_dynflow_core.service
2. nmap --script +ssl-enum-ciphers localhost -p 8008

Actual results:
  1. nmap --script +ssl-enum-ciphers localhost -p 8008

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-24 13:44 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (2000s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
8008/tcp open http | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL |_ least strength: weak

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds

Expected results: |_ least strength: strong

Additional info:
Would be nice to control both the protocols and ciphers that are used.

We should take the proxy settings as a defualt of disabled ciphers
https://github.com/theforeman/puppet-foreman_proxy/blob/91e5105c78a7b18e363784729fbc45dc5ff735a0/manifests/init.pp#L70

Associated revisions

Revision 13f7dfe1
Added by Adam Ruzicka 6 months ago

Fixes #17078 - Allow disabling certain ciphers

History

#1 Updated by Ivan Necas 7 months ago

  • Subject changed from smart_proxy_dynflow_core weak cipher to smart_proxy_dynflow_core weak cipher
  • Target version set to Team Ivan Iteration 5

#2 Updated by Adam Ruzicka 7 months ago

  • Project changed from foreman-tasks to Foreman Remote Execution
  • Category set to Smart Proxy Dynflow
  • Status changed from New to Ready For Testing
  • Assigned To set to Adam Ruzicka
  • Pull request https://github.com/theforeman/smart_proxy_dynflow/pull/27 added

Changing the project to make theforeman-bot happy

#3 Updated by Ivan Necas 6 months ago

  • Status changed from Ready For Testing to Closed

#4 Updated by Ivan Necas 6 months ago

  • Target version changed from Team Ivan Iteration 5 to Team Ivan Iteration 6

Also available in: Atom PDF