Project

General

Profile

Feature #31387

Tracker #31386: Default to TLS 1.2+

Disable TLS 1.0 and 1.1 by default in Apache

Added by Ewoud Kohl van Wijngaarden 11 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Category:
foreman-installer script
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:

Description

Clients needing these old versions are going EOL. The ecosystem is ready for TLS 1.2+ by default. This makes it easier for organizations to comply with PCI-DSS and similar stricter policies.

For those that still need older versions, it will be possible to override this via custom-hiera.yaml.

Associated revisions

Revision 06533f71 (diff)
Added by Ewoud Kohl van Wijngaarden 10 months ago

Fixes #31387 - Drop TLS 1.0 and TLS 1.1 from Apache

This tightens the defaults on Apache to only accept TLS 1.2+. The
platforms that required this are going EOL and this makes it easier to
comply with PCI-DSS and similar stricter policies.

History

#1 Updated by The Foreman Bot 11 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-installer/pull/619 added

#2 Updated by Besmir Zanaj 10 months ago

  • Found in Releases 1.24.3 added

Having the same issue and system does not pass PCI audit.

What would be the easiest/safest way to disable other than manually changing apache settings?

[root@HOST ~]# nmap --script ssl-enum-ciphers -p 443 foreman.domain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-12 23:28 GMT
Nmap scan report for foreman.domain.com (x.x.x.x)
Host is up (0.0011s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

#3 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Target version set to 2.4.0

First of all, update to a supported version. Currently that's 2.2 and 2.3. Version 2.0 or 2.1 (I forgot exactly which one) fixes TLS 1.2+ by default for Foreman Proxy. Then you can also add the line from the patch to /etc/foreman-installer/custom-hiera.yaml and rerun the installer.

#4 Updated by The Foreman Bot 10 months ago

  • Fixed in Releases 2.4.0 added

#5 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Status changed from Ready For Testing to Closed

#6 Updated by Ewoud Kohl van Wijngaarden 7 months ago

  • Triaged changed from No to Yes
  • Category changed from Foreman modules to foreman-installer script

Also available in: Atom PDF