Current pki-server-10.3.3-1.fc24 supports only AES128-SHA and AES256-SHA as TLS ciphers on port 8443. Neither AES in CBC mode nor SHA1 are state of the art. The cipher suite also lacks PFS (ephemeral DH/ECDH for key agreement).
I also like to point out that the current configuration of tomcatjss is rather confusing and hard to read. The connector config contains obsolete and unnecessary options. The options sslOptions, ssl2Ciphers and tlsCiphers are deprecated and ignored in present of sslVersionRangeStream.
sslOptions
ssl2Ciphers
tlsCiphers
sslVersionRangeStream
https://svn.fedorahosted.org/svn/tomcatjss/trunk/tomcatjss/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
/* * note: the SSL_OptionSet-based API for controlling the enabled protocol * versions are obsolete and replaced by the setSSLVersionRange calls. If * the "range" parameters are present in the attributes then the sslOptions * parameter is ignored. */ public void setSSLOptions() throws SocketException, IOException {
The new option sslRangeCiphers lists several ciphers with - prefix. With strictCiphers="true" it is not required to exclude any ciphers. With strict ciphers all ciphers are disabled by default. So only explicitly enabled ciphers are available.
sslRangeCiphers
strictCiphers="true"
$ sslscan master.ipa.example:8443 Version: 1.11.7 OpenSSL 1.0.2h-fips 3 May 2016 OpenSSL version does not support SSLv2 SSLv2 ciphers will not be detected Testing SSL server master.ipa.example on port 8443 TLS Fallback SCSV: Server does not support TLS Fallback SCSV TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression disabled Heartbleed: TLS 1.2 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.0 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 256 bits AES256-SHA Preferred TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 256 bits AES256-SHA Preferred TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 256 bits AES256-SHA SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 Subject: master.ipa.example Issuer: Certificate Authority Not valid before: Aug 15 12:37:17 2016 GMT Not valid after: Aug 5 12:37:17 2018 GMT
(Note: sslscan from https://koji.fedoraproject.org/koji/taskinfo?taskID=15234102 / https://github.com/tiran/sslscan/releases/tag/1.11.8-tiran )
<Connector name="Secure" ... strictCiphers="true" clientAuth="want" sslOptions="ssl2=false,ssl3=false,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" sslVersionRangeStream="tls1_0:tls1_2" sslVersionRangeDatagram="tls1_1:tls1_2" sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" ... />
Remove sslOptions, ssl2Ciphers and tlsCiphers from config.
Remove all negative cipher defs from sslRangeCiphers.
Add sensible ciphers to sslRangeCiphers. Mozilla's server side TLS has good recommendations and even JSON file with suggested ciphers. https://wiki.mozilla.org/Security/Server_Side_TLS.
A good list of cipher should include:
Please note that my config has different values than the QA test in https://bugzilla.redhat.com/show_bug.cgi?id=871171#c41 e.g. -TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 in my config but +TLS_ECDH_RSA_WITH_AES_128_GCM_SHA25 in comment 41.
-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+TLS_ECDH_RSA_WITH_AES_128_GCM_SHA25
The cipher spec was last changed in tickets #1566 and #1438 by cfu. If I understand the tickets correctly, the PFS ciphers were disable because they were causing trouble with HSMs.
FYI, there's a proposal to improve the Tomcat JSS configuration in ticket #1352 to make it easier to maintain and to remove misleading warnings.
A few comments:
I have the info in ciphers.info indicating that they could be turned back on if not a concern with HSM:
So, yes, since we are now on for 7.3, we can safely turn them on
Also about limiting to TLS1.2, as stated in ciphers.info, The sslVersionRangeStream and sslVersionRangeDatagram and be modified to either restrict or relax the TLS versions.
as for +'s and -'s, I think it's best to list all avaiable (within reasons) ciphers so that people know how to spell the cipher names if they need to tune the list. Although we could also refer them to ciphers.info. I'm okay either way.
Per the PKI Bug Council of 08/18/2016:
Per PKI Bug Council of 08/31/2016: 10.4 - major
Metadata Update from @cheimes: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2558
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.