#7667 When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy
Opened 7 months ago by abbra. Modified a month ago

With the system-wide crypto policy that allows only to use TLS 1.2 and TLS 1.3, FreeIPA still sets TLS 1.0 as allowed one in mod_ssl configuration. We need to fix FreeIPA installer to:

  • detect current crypto policy settings
  • change generator of mod_ssl config to use TLS range defined by the current crypto policy

On Fedora Rawhide this can be seen with update-crypto-policy --set FUTURE -- you need to use git master of dogtag/jss/tomcatjss packages to get through the actual installation (I fixed that and dogtag will release new packages soon) but FreeIPA still sets:

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

The code in question is this:

   def set_mod_ssl_protocol(self):
       directivesetter.set_directive(paths.HTTPD_SSL_CONF,
                                  'SSLProtocol',
                                  '+TLSv1 +TLSv1.1 +TLSv1.2', False)

It doesn't take default crypto policy into account. Since we need to support any default crypto policy at the moment of installation, it would be good to change this code to actually read MinProtocol and iterate the list up until known highest supported protocol from /etc/crypto-policies/back-ends/opensslcnf.config if it exists.

This way if people use 'update-crypto-policies --set LEGACY' we would still continue working and wouldn't break expectations.

Note that opensslcnf.config might not exist (it doesn't exist on Fedora 28 or earlier), in that case we have to fall back to a reasonable approximation (previous state we had). Also, more details are available in the man page for update-crypto-policy.

Metadata Update from @rcritten:
- Issue assigned to rcritten

7 months ago

Looks like mod_ssl will not get protocol configuration from policy currently (not set in policy at all. I'm not sure if this is a policy, openssl or mod_ssl limitation).

To match current behavior IMHO we should do:

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

It is probably a good time to drop TLS v1 and 1.1so we can change it to:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

Ciphers are already using policy via:

SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

If mod_ssl gets crypto policy support for protocols at some point we can address this further then. I don't know what sifting through opensslcnf.config really buys us and it might inadvertently change customer-made configuration (if say we do it at upgrade time).

Instead I propose we look for the specifically configured protocol strings and replace those.

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1

7 months ago

Starting with Fedora 29, it's possible to set the minim version. The DEFAULT policy has TLS 1.0 as min version. FUTURE has TLS 1.2.

# cat /etc/crypto-policies/back-ends/opensslcnf.config 
CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:-aDSS:!EXP:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:!SSLv2:!ADH
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
MinProtocol = TLSv1

Right. I think we want to get out of the business of setting this.

SSLProtocol is optional so I think we can completely drop it and rely on system defaults.

Unfortunately in my testing with Apache increasing this in the policy did absolutely nothing.

TLS 1.3 was broken in Apache in rawhide (F30). It was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1619389

A patch to allow Apache to use system policy for Protocols was proposed in https://bugzilla.redhat.com/show_bug.cgi?id=1618371

https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f2a17fb92 has been pushed to F29 testing, so now we have Apache with system policies and TLS 1.3. FreeIPA part can proceed.

Let's test client cert auth first. I'm pretty sure it's broken, because it uses PHA and PHA isn't supported by any HTTP client library yet.

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)

5 months ago

FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone

The work left to do is to unset SSLProtocol config string to let it default to the system-wide crypto default.

If we want to be considerate about stomping on custom settings we would want to avoid changing it on update if it is not "all -SSLv3" which is the default in Fedora.

Note that this patch does not appear in F-28 in httpd so maybe we'll have to wait until that is EOL'd.

Login to comment on this ticket.

Metadata