Actions
Feature #31385
closedTracker #31386: Default to TLS 1.2+
Disable weak ciphers in qpid-router
Status:
Closed
Priority:
Normal
Assignee:
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
No
Description
$ nmap --script +ssl-enum-ciphers -p 5646,5647 centos7.wisse.example.com Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-24 17:44 CET Nmap scan report for centos7.wisse.example.com (192.168.122.167) Host is up (0.00018s latency). PORT STATE SERVICE 5646/tcp open vfmobile | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - C | TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - C | TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - C | TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Key exchange (dh 2048) of lower strength than certificate key |_ least strength: C 5647/tcp open unknown | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - C | TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - C | TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_IDEA_CBC_SHA (rsa 4096) - A | TLS_RSA_WITH_RC4_128_MD5 (rsa 4096) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 4096) - C | TLS_RSA_WITH_SEED_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | 64-bit block cipher IDEA vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | Key exchange (dh 2048) of lower strength than certificate key |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds
My proposal is to set the ciphers to a strong set. This may break older clients, but those platforms are typically EOL.
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Parent task set to #31386
Updated by The Foreman Bot almost 4 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/puppet-foreman_proxy_content/pull/301 added
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman_proxy_content|68cf32415dccb5d37486d6c4f8d2f1d3fe12365f.
Updated by The Foreman Bot almost 4 years ago
- Pull request https://github.com/theforeman/foreman-installer/pull/633 added
Actions