Ciphers Inconsistent with Documentation

Support
1

CentOS 7.7.1908
foreman 1.24.2
foreman-proxy 1.24.2

foreman-proxy TLS settings:

:tls_disabled_versions:

  • 1.1

I’m getting the following returned from the ssl-enum-ciphers nmap script against TCP/8443:

PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Forward Secrecy not supported by any cipher
|_ least strength: A

Which translates to:

AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA

According to Foreman :: Manual, the following ciphers should be in use:

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA

So my question is, how can the more secure ciphers be enabled? I haven’t defined ssl_disabled_ciphers in foreman-answers.yaml either. Thanks!

2

Hello, ciphers which are enabled are hardcoded here:

If you want some more send us a patch with explanation. It must be a cipher from OpenSSL shipped with CentOS 7 (latest version).

Long term, we plan to move away from webrick to puma and apache httpd as the reverse proxy for all communication.

3

Thanks for that. That matches mine, but ECDHE-RSA-AES128-GCM-SHA256 and ECDHE-RSA-AES256-GCM-SHA384 still are not used. I ran a fresh install, and the results are the same.

4

After doing some more digging, I’m thinking its potentially the version of webrick being used:

2020-02-04T09:49:57 [I] TLSv1.1 will be disabled.
2020-02-04T09:49:57 [I] WEBrick 1.3.1
2020-02-04T09:49:57 [I] ruby 2.0.0 (2015-12-16) [x86_64-linux]

This version of webrick is from 2011, so thinking it just might not support those ciphers. I’m looking in to best way to upgrade/use the rh-ruby25 SCL. Will update when I have something more.

5

Confirmed. Using the rh-ruby25 SCL, now getting the following:

PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A

6

Current nightly is running Foreman Proxy in the rh-ruby25 SCL.

7

Since using the profile.d method of sourcing the SCL won’t work for the foreman-proxy user, I’ve been trying to find a method of having foreman-proxy use rh-ruby25 using /etc/sysconfig/foreman-proxy, but to no avail yet. Any guidance on how I can accomplish this is appreciated. As for the nightly build, I cloned smart-proxy but couldn’t find where it was using the SCL.

8

Ok, I’ve managed to get it running with the tfm SCL. It’s ugly, could break in the future, but it works for now:

$ sudo mkdir /usr/share/foreman-proxy/.gem
$ sudo chown foreman-proxy /usr/share/foreman-proxy/.gem
$ sudo su - foreman-proxy -s /bin/bash
$ scl enable tfm bash
$ gem install smart_proxy_discovery smart_proxy_pulp smart_proxy_remote_execution_ssh
$ exit
$ exit
$ sudo nano /etc/sysconfig/foreman-proxy
PATH=/opt/theforeman/tfm/root/usr/bin:/opt/rh/rh-ruby25/root/usr/local/bin:/opt/rh/rh-ruby25/root/usr/bin:/opt/theforeman/tfm-ror52/root/usr/bin:/opt/theforeman/tfm-ror52/root/usr/sbin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/opt/puppetlabs/bin
LIBRARY_PATH=/opt/theforeman/tfm/root/usr/lib64dd
LD_LIBRARY_PATH=/opt/theforeman/tfm/root/usr/lib64:/opt/rh/rh-ruby25/root/usr/local/lib64:/opt/rh/rh-ruby25/root/usr/lib64:/opt/theforeman/tfm-ror52/root/usr/lib64
MANPATH=/opt/theforeman/tfm/root/usr/share/man:/opt/rh/rh-ruby25/root/usr/local/share/man:/opt/rh/rh-ruby25/root/usr/share/man:/opt/theforeman/tfm-ror52/root/usr/share/man::/opt/puppetlabs/puppet/share/man
CPATH=/opt/theforeman/tfm/root/usr/include
PKG_CONFIG_PATH=/opt/theforeman/tfm/root/usr/lib64/pkgconfig:/opt/rh/rh-ruby25/root/usr/local/lib64/pkgconfig:/opt/rh/rh-ruby25/root/usr/lib64/pkgconfig:/opt/theforeman/tfm-ror52/root/usr/lib64/pkgconfig
GEM_PATH=/opt/theforeman/tfm/root/usr/share/gems:/opt/theforeman/tfm-ror52/root/usr/share/gems:/usr/share/foreman-proxy/.gem/ruby:/opt/rh/rh-ruby25/root/usr/share/gems:/opt/rh/rh-ruby25/root/usr/local/share/gems/opt/theforeman/tfm-ror52/root/usr/share/gems:/usr/share/foreman-proxy/.gem/ruby:/opt/rh/rh-ruby25/root/usr/share/gems:/opt/rh/rh-ruby25/root/usr/local/share/gems
GEM_HOME=/opt/theforeman/tfm/root/usr/share/gems
$ sudo chmod o+r /etc/sysconfig/foreman-proxy
$ sudo systemctl restart foreman-proxy

I’m still open to a nicer way of accomplishing the same thing.

9

Sorry! I assumed the nightly build, not the nightly RPM. I see it uses #!/usr/bin/tfm-ruby. That will be much easier to use.

10

Thanks for the report, we are aware of that ugly and old version of webrick, this is why we are moving to SCL Ruby even when we are so close to upgrading to RHEL8.

We are also very close to merging a change to move away from Webrick to Puma: https://github.com/theforeman/smart-proxy/pull/623