Issue #2918: Make sslget aware of TLSv1_2 ciphers - dogtagpki

dogtagpki

#2918 Make sslget aware of TLSv1_2 ciphers

Closed: fixed 6 years ago Opened 6 years ago by mharmsen.

While addressing another issue, I noticed that the sslget tool was unaware of any TLSv1_2 ciphers; this functionality should be added to the tool.

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1540789
- Custom field type adjusted to None
- Custom field version adjusted to None

6 years ago

cheimes commented 6 years ago

Wouldn't it be easier and safer to rely on NSS's default system policy for ciphers? These days NSS and OpenSSL have sane and reasonable secure settings. I'd use the defaults and restrict protocol to TLS 1.0 to 1.2.

Metadata Update from @cheimes:
- Issue assigned to cheimes

6 years ago

cheimes commented 6 years ago

https://review.gerrithub.io/400945 addresses the problem and a couple of more issues.

SSL 2.0 and SSL 3.0 are disabled
All cipher suites are disabled by default
FIPS approved TLS 1.0 to TLS 1.2 cipher suites are enabled
Legacy suites with 3DES and DSS authentication are disabled

mharmsen commented 6 years ago

commit 27142606930f87023e7e1981dfbc76199d4dd240 (HEAD -> master, origin/master, origin/HEAD)
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu Feb 22 10:22:41 2018 +0100

    Modernize sslget's TLS version and cipher suite

    Disable all cipher suites unless NSS says it's a FIPS approved suite.

    * SSL 2.0 and SSL 3.0 are disabled
    * Broken or weak suites with 3DES, RC4 and effective key bits less than
      80 bits are disabled.

    Fixes: https://pagure.io/dogtagpki/issue/2918
    Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
    Signed-off-by: Christian Heimes <cheimes@redhat.com>

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.7 (was: 10.6)

6 years ago

Metadata Update from @mharmsen:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3036

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

cheimes

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

10.5.7

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1540789

type

None

version

None

keywords

None

estimate

None

feature

None

origin

None

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

None

proposedmilestone

None

dogtagpki

Source Code

#2918 Make sslget aware of TLSv1_2 ciphers Closed: fixed 6 years ago Opened 6 years ago by mharmsen.

Metadata

#2918 Make sslget aware of TLSv1_2 ciphers

Closed: fixed 6 years ago Opened 6 years ago by mharmsen.