With the system-wide crypto policy that allows only to use TLS 1.2 and TLS 1.3, FreeIPA still sets TLS 1.0 as allowed one in mod_ssl configuration. We need to fix FreeIPA installer to:
On Fedora Rawhide this can be seen with update-crypto-policy --set FUTURE -- you need to use git master of dogtag/jss/tomcatjss packages to get through the actual installation (I fixed that and dogtag will release new packages soon) but FreeIPA still sets:
update-crypto-policy --set FUTURE
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
The code in question is this:
def set_mod_ssl_protocol(self): directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLProtocol', '+TLSv1 +TLSv1.1 +TLSv1.2', False)
It doesn't take default crypto policy into account. Since we need to support any default crypto policy at the moment of installation, it would be good to change this code to actually read MinProtocol and iterate the list up until known highest supported protocol from /etc/crypto-policies/back-ends/opensslcnf.config if it exists.
MinProtocol
/etc/crypto-policies/back-ends/opensslcnf.config
This way if people use 'update-crypto-policies --set LEGACY' we would still continue working and wouldn't break expectations.
Note that opensslcnf.config might not exist (it doesn't exist on Fedora 28 or earlier), in that case we have to fall back to a reasonable approximation (previous state we had). Also, more details are available in the man page for update-crypto-policy.
update-crypto-policy
Metadata Update from @rcritten: - Issue assigned to rcritten
Looks like mod_ssl will not get protocol configuration from policy currently (not set in policy at all. I'm not sure if this is a policy, openssl or mod_ssl limitation).
To match current behavior IMHO we should do:
SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3
It is probably a good time to drop TLS v1 and 1.1so we can change it to:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
Ciphers are already using policy via:
SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM
If mod_ssl gets crypto policy support for protocols at some point we can address this further then. I don't know what sifting through opensslcnf.config really buys us and it might inadvertently change customer-made configuration (if say we do it at upgrade time).
Instead I propose we look for the specifically configured protocol strings and replace those.
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1
Starting with Fedora 29, it's possible to set the minim version. The DEFAULT policy has TLS 1.0 as min version. FUTURE has TLS 1.2.
# cat /etc/crypto-policies/back-ends/opensslcnf.config CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:-aDSS:!EXP:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:!SSLv2:!ADH Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 MinProtocol = TLSv1
Right. I think we want to get out of the business of setting this.
SSLProtocol is optional so I think we can completely drop it and rely on system defaults.
Unfortunately in my testing with Apache increasing this in the policy did absolutely nothing.
dogtag is not installable using FUTURE policy, https://pagure.io/dogtagpki/issue/3049
TLS 1.3 was broken in Apache in rawhide (F30). It was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1619389
A patch to allow Apache to use system policy for Protocols was proposed in https://bugzilla.redhat.com/show_bug.cgi?id=1618371
https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f2a17fb92 has been pushed to F29 testing, so now we have Apache with system policies and TLS 1.3. FreeIPA part can proceed.
Let's test client cert auth first. I'm pretty sure it's broken, because it uses PHA and PHA isn't supported by any HTTP client library yet.
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)
FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone
The work left to do is to unset SSLProtocol config string to let it default to the system-wide crypto default.
If we want to be considerate about stomping on custom settings we would want to avoid changing it on update if it is not "all -SSLv3" which is the default in Fedora.
Note that this patch does not appear in F-28 in httpd so maybe we'll have to wait until that is EOL'd.
Note that we also need to provide a mechanism to still create the SSLProtocol line for distributions that do not have both a system-wide crypto policy and the Apache patch to allow not setting SSLProtocol.
I don't think we have to worry about that. Debian's Apache config /etc/apache2/mods-available/ssl.conf contains SSLProtocol all -SSLv3.
/etc/apache2/mods-available/ssl.conf
SSLProtocol all -SSLv3
Fedora has a line like this by default as well. In order to guarantee the use system-wide policy we would need to remove the line altogether.For example, I think the -SSLv3 is redundant in Fedora at this point.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1713082
Issue linked to Bugzilla: Bug 1713082
https://github.com/freeipa/freeipa/pull/3178
We need to decide the milestone for this.
Metadata Update from @rcritten: - Issue priority set to: important
master:
ipa-4-7:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
Metadata Update from @cheimes: - Issue status updated to: Open (was: Closed)
Login to comment on this ticket.