#47929 Admin Server: Disable SSL v3, by default.
Closed: Fixed None Opened 5 years ago by nhosoi.

On the new installation of the admin server, SSL v3 should be disabled by default, and provide the safe cipher suites.


Disabling SSLv3, and only allowing TLS1.1, break console logins, so this needs to be addressed as well.

{{{
Console -D 9

CommManager> New CommRecord (https://localhost:9830/admin-serv/authenticate)
CREATE JSS SSLSocket
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-12190) Peer reports incompatible or unsupported protocol version.
at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
at com.netscape.management.client.comm.CommManager.send(Unknown Source)
at com.netscape.management.client.comm.CommManager.send(Unknown Source)
at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
at

com.netscape.management.client.console.Console.invoke_task(Unknown Source)
at
com.netscape.management.client.console.Console.authenticate_user(Unknown
Source)
at com.netscape.management.client.console.Console.<init>(Unknown Source)
at com.netscape.management.client.console.Console.main(Unknown Source)

Admin Server error log:

SSL Library Error: -12286 No common encryption algorithm(s) with client
}}}

Admin Server patch - ensures SSL version range is properly initialized
0001-Ticket-47929-Admin-Server-disable-SSLv3-by-default.patch

adminutil patch - set the SSL min and max versions in adm.conf
0001-Ticket-47929-Adminutil-do-not-use-SSL3-by-default.patch

Looks good. 2 minor questions...
1) 0001-Ticket-47929-Adminutil-do-not-use-SSL3-by-default.patch
The default max version is tls1.2. I'm sure it is safe to assume for us.
For instance, if some other OS like CentOS which may not have the old NSS
that does not support TLS1.2, what happens? Is it ignored?
{{{
1568 admldapGetSSLMax(AdmldapInfo info)
1573 if(!version){
1574 return SSL_LIBRARY_VERSION_TLS_1_2;
}}}
2) 0001-Ticket-47929-Admin-Server-disable-SSLv3-by-default.patch
NSS_IsInitialized was replaced with NSS_inited. The former is an NSS API.
The latter is a variable in mod_admserv. Instead of replacing, can we
check both? Maybe a too paranoiac thought, but could there be some odd
state that NSS library thinks it's not initialized although NSS_inited is on?
{{{
782 if (!NSS_IsInitialized()) {
791 if(!NSS_inited){
}}}

Add tls 1.1/2 support, and allow min/max ssl version to be set in pref file
0001-Ticket-47929-Console-add-tls1.1-support.patch

Replying to [comment:4 nhosoi]:

Looks good. 2 minor questions...
1) 0001-Ticket-47929-Adminutil-do-not-use-SSL3-by-default.patch
The default max version is tls1.2. I'm sure it is safe to assume for us.
For instance, if some other OS like CentOS which may not have the old NSS
that does not support TLS1.2, what happens? Is it ignored?
{{{
1568 admldapGetSSLMax(AdmldapInfo info)
1573 if(!version){
1574 return SSL_LIBRARY_VERSION_TLS_1_2;
}}}

It will use whatever is supported. So 1.2 "should" be ignored in your case, but we can set the max to 1.1 if you think that would be safer.

2) 0001-Ticket-47929-Admin-Server-disable-SSLv3-by-default.patch
NSS_IsInitialized was replaced with NSS_inited. The former is an NSS API.
The latter is a variable in mod_admserv. Instead of replacing, can we
check both? Maybe a too paranoiac thought, but could there be some odd
state that NSS library thinks it's not initialized although NSS_inited is on?
{{{
782 if (!NSS_IsInitialized()) {
791 if(!NSS_inited){
}}}

NSS_IsInitialized is always true, because mod_nss initializes it before the admin server starts. So we need to keep track of this ourselves when setting the SSL version range.

Thanks, Mark!
1.

It will use whatever is supported. So 1.2 "should" be ignored in your case.
If the Admin Server starts even if TLS1.2 is not supported by NSS, I like setting 1.2 better. So, please keep the value.
2.
NSS_IsInitialized is always true.
Then, never mind. Thanks for the confirmation.

To ssh://git.fedorahosted.org/git/idm-console-framework.git
ed9240e..1464149 master -> master
commit 14641492a43ef5025d66c4b900fb1b02ef0f53d4
Author: Mark Reynolds mreynolds@redhat.com
Date: Wed Oct 29 14:33:00 2014 -0400

To ssh://git.fedorahosted.org/git/389/admin.git
5af4170..dbf1a2e master -> master
commit dbf1a2e74952e0a36d15b674293fc3071eaf16a7

To ssh://git.fedorahosted.org/git/389/adminutil.git
83f800d..4896a04 master -> master
commit 4896a04a1d510116afc346bff2c0c3e67a0348d8

reopening - we need to future-proof ourselves - note that TLS 1.3 is already in the pipeline, and we do not want to have to edit this code again to support that. Noriko is working on a method for 389-ds-base that will be much more future-proof - we should use that code in adminutil and admin server. Not sure how applicable it is for Java, but we should investigate using a similar method for Java.

Yep - we should do something similar for the Java code.
{{{
+ private int getSSLVersionRangeEnum (String rangeString) {
+ if (rangeString == null)
+ return -1;
+ if (rangeString.equalsIgnoreCase("ssl3"))
+ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.ssl3;
+ else if (rangeString.equalsIgnoreCase("tls1.0"))
+ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0;
+ else if (rangeString.equalsIgnoreCase("tls1.1"))
+ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1;
+ else if (rangeString.equalsIgnoreCase("tls1.2"))
+ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2;
+
+ return -1;
+ }
}}}

Otherwise, we will have to edit this code again for TLS 1.3

That works for TLS 1, but not for TLS 2 - see slapi_getSSLVersion_str and how the minor_offset is used.

Replying to [comment:12 rmeggins]:

That works for TLS 1, but not for TLS 2 - see slapi_getSSLVersion_str and how the minor_offset is used.

Done, new patch attached.

{{{
if((minor = atol(comp))){
}}}
What if the string is "tls1.0"? Then minor will be 0 and the if will fail.

Replying to [comment:14 rmeggins]:

{{{
if((minor = atol(comp))){
}}}
What if the string is "tls1.0"? Then minor will be 0 and the if will fail.

Nice catch, New patch attached.

Going to leave the console version string conversion function as is because JSS doesn't have the full NSS api support to handle it properly. Once it does, we can reopen this and future proof the version string conversion then.

idm-console-framework: need to set the default minimum version to TLS1.0 - for backwards compatibility.

f525cda..5bb09b3 master -> master
commit 5bb09b38580f79cc90b51a4ef3da9468c30eccf2

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 389-admin,console 1.1.36

2 years ago

Login to comment on this ticket.

Metadata