freeipa

Clone
Source Code
GIT

#4653 POODLE: force using safe ciphers (non-SSLv3) in IPA client and server
Closed: Fixed None Opened 9 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1154687

Description of problem: When the IPA servers in an infrastructure are
configured to require TLS 1.1 or higher in httpd, the 'ipa' command-line tool
fails.


Version-Release number of selected component (if applicable): RHEL 6.5


How reproducible: Always


Steps to Reproduce:
1. Install IPA
2. Run "ipa user-show admin" to confirm functionality
3. Edit /etc/httpd/conf.d/nss.conf to require TLS 1.1 or 1.2 only
4. attempt "ipa user-show admin" or any other ipa subcommand.

Actual results: The ipa command fails to contact the servers


Expected results: The ipa command operates normally


Additional info: A testbed reproducer is being built in Amazon EC2. I'm happy
to clone the testbed and share AMI with anyone working on the bug.

This ticket should cover any other client/server part fixes for preventing POODLE attack.

With python-nss-0.16 this can be addressed with one line of code in ipapython/nsslib.py:

self.sock.set_ssl_version_range(ssl.SSL_LIBRARY_VERSION_TLS_1
_1, ssl.SSL_LIBRARY_VERSION_TLS_1_2)

I'd recommend extending handshake_callback() as well to print a lot more information that is now available due to the addition of get_ssl_channel_info() and get_cipher_suite_info(). We can print the version of SSL/TLS in the connection along with the cipher, plus a bunch of other interesting bits if desired.

I'd also recommend adding a new variable to contants.py that defines the protocols to enable, defaulting to tls1.1,tls1.2.

Note that the call to set the protocols sets a range, min to max, with no holes. So you can't for example enable tls1.0 and tls1.2 w/o also enabling tls1.1.

I don't think this option needs to be added to default.conf for now but it would allow a user to override it if desired.

FreeIPA 4.1.1 was released.

master:

  • 5c0ad22 Use NSS protocol range API to set available TLS protocols

ipa-4-1:

  • 8ef1914 Use NSS protocol range API to set available TLS protocols

mod_nss is now also configured on upgrade (just once so that it can be overridden by admin)

master:

  • bef1d18 Add TLS 1.2 to the protocol list in mod_nss config

ipa-4-1:

  • dc443cc Add TLS 1.2 to the protocol list in mod_nss config

4.1.2 was released.

Jan - just checking, all we are waiting for at the moment is Requires on next 389-ds-base 1.3.3.6, right?

That's correct.

Bump 389-ds-base and pki-ca dependencies for POODLE fixes

master:

  • c438d9b Bump 389-ds-base and pki-ca dependencies for POODLE fixes

ipa-4-1:

  • caf70a1 Bump 389-ds-base and pki-ca dependencies for POODLE fixes

Metadata Update from @mkosek:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.1.3
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Client
None
0
None
None
jcholast
None
https://bugzilla.redhat.com/show_bug.cgi?id=1154687, https://bugzilla.redhat.com/show_bug.cgi?id=1156466
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.