Bug #14719
closedAllow TLSv1 for compatibility with some clients.
Description
After updating and testing foreman 1.11, our custom php scripts that talk to the foreman proxy through the REST API no longer work. After some debugging and looking at the php documentation, the problem is that TLSv1 is not allowed. According to some user comments in the php documentation:
http://php.net/manual/en/function.curl-setopt.php#115993
Setting php to use TLSv1 or above will only work if you have curl 7.34 or newer. Note, RHEL6 comes with curl 7.19 and RHEL7 comes with curl 7.29. To maintain compatibility with still supported RHEL versions and allow custom 3rd party scripts written in php to connect to the foreman-proxy REST API, need to allow TLSv1 also:
Updated by Jason Smith over 8 years ago
- Related to Bug #14387: SSLv3 remains enabled on Ruby 1.8.7 added
Updated by The Foreman Bot over 8 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/408 added
Updated by Daniel Gagnon about 8 years ago
Having a similar issue communicating between foreman and a smart-proxy after an upgrade to 1.12 and debian8.
Foreman:
- debian 8 ( upgraded from 7 )
- OpenSSL 1.1.0-pre6-dev xx XXX xxxx ( had to install custom version due to http://openssl.6102.n7.nabble.com/openssl-1-0-2h-Parsing-really-large-CRLs-fails-side-effect-of-change-in-x-name-c-tc65870.html#none )
- ruby 2.1.5p273 (2014-11-13) [x86_64-linux-gnu]
- foreman 1.12
Proxy:
- centos CentOS release 5.11 (Final)
- OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
- ruby 2.1.8p440 (2015-12-16 revision 53160) [x86_64-linux]
- smart proxy from git 1.12
Actual error in proxy log:
E, [2016-07-14T16:30:28.274669 #16809] ERROR -- : OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown protocol
Error from foreman:
From foreman: Error: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([Errno::ECONNRESET]: Connection reset by peer - SSL_connect) for proxy https://pxesetup.clients.netelligent.ca:8443/features and Please check the proxy is configured and running on the host.
The fix I have found, ont he proxy:
in lib/launcher.rb
ssl_options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) ssl_options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) ssl_options |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1)
becomes:
#ssl_options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) #ssl_options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) #ssl_options |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1)
I believe this indicates that foreman itself is trying to establish a connection with an older protocol.
Updated by Daniel Gagnon about 8 years ago
I believe this indicates that foreman itself is trying to establish a connection with an older protocol.
correction. new guess is that openssl on centos 5 does not support anything above tls1, so that disabling v2, v3 and tls1 effectivly disables all available protocol.
Updated by Brandon Weeks about 8 years ago
That would be my guess as to what is happening CentOS 5 was not tested as part of this change and even early versions of CentOS 6 don't support TLS 1.2 completely.
Updated by Ewoud Kohl van Wijngaarden over 6 years ago
- Status changed from Ready For Testing to Rejected
The PR was closed and I don't think we should be allowing TLSv1 in this day and age. Clients should use current protocols.