While addressing another issue, I noticed that the sslget tool was unaware of any TLSv1_2 ciphers; this functionality should be added to the tool.
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1540789 - Custom field type adjusted to None - Custom field version adjusted to None
Wouldn't it be easier and safer to rely on NSS's default system policy for ciphers? These days NSS and OpenSSL have sane and reasonable secure settings. I'd use the defaults and restrict protocol to TLS 1.0 to 1.2.
Metadata Update from @cheimes: - Issue assigned to cheimes
https://review.gerrithub.io/400945 addresses the problem and a couple of more issues.
commit 27142606930f87023e7e1981dfbc76199d4dd240 (HEAD -> master, origin/master, origin/HEAD) Author: Christian Heimes <cheimes@redhat.com> Date: Thu Feb 22 10:22:41 2018 +0100 Modernize sslget's TLS version and cipher suite Disable all cipher suites unless NSS says it's a FIPS approved suite. * SSL 2.0 and SSL 3.0 are disabled * Broken or weak suites with 3DES, RC4 and effective key bits less than 80 bits are disabled. Fixes: https://pagure.io/dogtagpki/issue/2918 Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8 Signed-off-by: Christian Heimes <cheimes@redhat.com>
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.7 (was: 10.6)
Metadata Update from @mharmsen: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3036
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.