#2821 Weak ciphers (3DES) should not be enabled by default anymore
Closed: fixed 5 years ago Opened 5 years ago by mharmsen.

I see the following two ciphers enabled by default in the base/server/share/conf/ciphers.info file:

+TLS_RSA_WITH_3DES_EDE_CBC_SHA
+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Can we disable those ciphers by default so that they need to be explicitly enabled in case they are needed?


Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1469169
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue priority set to: blocker
- Issue set to the milestone: 10.5

5 years ago

Metadata Update from @jmagne:
- Issue assigned to jmagne

5 years ago

Metadata Update from @jmagne:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.0 (was: 10.5)

5 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.0-1.fc27

5 years ago

commit 5ada777e54d0e79588c5516e18eefdbccbe36cea
Author: Jack Magne jmagne@redhat.com
Date: Wed Oct 4 10:50:46 2017 -0700

Fix Weak ciphers (3DES) should not be enabled by default anymore.

Ticket: https://pagure.io/dogtagpki/issue/2821

This fix simply does the following:

1.  Makes sure that the ciphers below are not enabled by default on new
installations of a CS subsystem:

TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

2. The informational text file ciphers.info has been updated to reflect the change.

To restate, this only affects brand new installs. Existing instances will have to be
modified manually, but this is not a huge task.

3. Since the idea was to remove 3DES related ciphers, decided to disable the rest of
those involving 3DES. They can be rescued if required by the user.

Change-Id: I1fbef9fbe0fa509a65e167161e30f41204d4197d

commit 78e4bbc4b696b52036fa18caff5f92c02dc80d88

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2941

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata