Bug #36979
closedcdn_ssl_version Setting enforces at most TLS1.0 version
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2216445
Description of problem:
cdn_ssl_version allows to use lower SSL/TLS version for communication via proxy and also with upstream Katello as an alternative of CDN (when Network Sync ISS is used).
The setting has the only two possible values: SSLv23 and TLSv1 (1.0 is meant, per my experiments). That is 1) to coarse, 2) implemented in the way "use exactly that version, since:
https://github.com/katello/katello/blob/master/app/lib/katello/resources/cdn.rb#L114
sets "use this SSL/TLS version and no other (lower or higher)" (Zhenech++ ewoud++ for pointing me here)
Since Katello (at least 4.7) requires TLS1.2 as minimum, this setting(*) practically prohibits ISS.
(*) .. sometimes even when I re-set / remove the setting, which is strange; as having Setting[:cdn_ssl_version] = nil should set net.ssl_version = nil shich should not enforce anything - but per my tests, TLS1.0 is used only..?
Let have more fine-tuned setting there and allow also higher values (via s/net.ssl_version/net.min_version/ , ewoud++).
Version-Release number of selected component (if applicable):
Katello (any version) ISS-ing from 4.7 or higher (since 4.5 allows(?) TLS1.0)
How reproducible:
100%
Steps to Reproduce:
1. Set Administer -> Settings -> Content -> "CDN SSL version" to the highest possible version (TLSv1)
2. Set ISS from another Katello 4.7 or higher: Content -> Subscriptions -> Manage Manifest -> CDN Configuration -> Network Sync -> provide upstream Katello details (incl. SSL debug cert)
3. Attempt to Update fails with some "tls mismatch" like error.
Optional scenario:
- dont have the CDN SSL version set (yet)
- set up the ISS (even here it might fail! sometimes)
- try to enable a Red Hat repo - unwrapping a repository set shows no available repo, despite the upstream Katello has synced repos from the Repository Set (the cause is the downstream Satellite fails to contact upstream Satellite due to TLS1.0 and silently claims "no repo to offer")
Actual results:
see above
Expected results:
ISS can be configured and allows to enable a repo even when CDN SSL version config is set (to a reasonable value).
Additional info: