I’m getting the following returned from the ssl-enum-ciphers nmap script against TCP/8443:
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Forward Secrecy not supported by any cipher
|_ least strength: A
Thanks for that. That matches mine, but ECDHE-RSA-AES128-GCM-SHA256 and ECDHE-RSA-AES256-GCM-SHA384 still are not used. I ran a fresh install, and the results are the same.
After doing some more digging, I’m thinking its potentially the version of webrick being used:
2020-02-04T09:49:57 [I] TLSv1.1 will be disabled.
2020-02-04T09:49:57 [I] WEBrick 1.3.1
2020-02-04T09:49:57 [I] ruby 2.0.0 (2015-12-16) [x86_64-linux]
This version of webrick is from 2011, so thinking it just might not support those ciphers. I’m looking in to best way to upgrade/use the rh-ruby25 SCL. Will update when I have something more.
Confirmed. Using the rh-ruby25 SCL, now getting the following:
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A
Since using the profile.d method of sourcing the SCL won’t work for the foreman-proxy user, I’ve been trying to find a method of having foreman-proxy use rh-ruby25 using /etc/sysconfig/foreman-proxy, but to no avail yet. Any guidance on how I can accomplish this is appreciated. As for the nightly build, I cloned smart-proxy but couldn’t find where it was using the SCL.
Thanks for the report, we are aware of that ugly and old version of webrick, this is why we are moving to SCL Ruby even when we are so close to upgrading to RHEL8.