How to limit Foreman smart-proxy listening on port 8443 to accept TLS1.2 connections only

Support
1

Problem:
Our internal security group scanned the foreman server and it showed the following vulnerabilities:
TLS Server Supports TLS version 1.0
TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
TLS/SSL Server is enabling the BEAST attack

Expected outcome:
Using the command “openssl s_client -connect :8443 [OPTION]” should show a “handshake failure” message if [OPTION] is either -tls1 and -tls1_1. Getting a response using OPTION -tls1_2 is fine. The result of using OPTION -ssl2 or -ssl3 suffices.

Example:
$ openssl s_client -connect gppdev1fore1:443 -ssl3
CONNECTED(00000003)
140614896445256:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140614896445256:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

Foreman and Proxy versions:
1.7

Foreman and Proxy plugin versions:

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)

logs

Output

2

I only looked for options in current version as 1.7 is very old and should be updated!

In the example file there is an option:

# Use this option only if you need to strictly specify TLS versions to be
# disabled. SSLv3 and TLS v1.0 are always disabled and cannot be configured.
# Specify versions like: '1.1', or '1.2'
#:tls_disabled_versions: []

This option is available also from the puppet module, but not the installer and in the docs.

But even better you can block all unwanted connections:

# Hosts which the proxy accepts connections from
# commenting the following lines would mean every verified SSL connection allowed
# HTTPS: test the certificate CN
# HTTP: test the reverse DNS entry of the remote IP
#:trusted_hosts:
#- foreman.prod.domain
#- foreman.dev.domain
#to deny access to all hosts use:
#:trusted_hosts: []

This is set to the foreman host as default in current versions when using the installer.

2 Likes
3

Pull request to add it to the manual:
https://github.com/theforeman/theforeman.org/pull/1352

1 Like
4

We do have --foreman-proxy-tls-disabled-versions and --foreman-proxy-plugin-dynflow-tls-disabled-versions but both are advanced so --help won’t show them. You need --full-help.

1 Like
5

And because of this and the list of options being auto-generated from the help, it is also not in the manual as an option for the installer, correct?

6

I must admit I haven’t looked at what kafo-export-params but I observed the same thing. It looks like the manual is reflection of --help, not --full-help. We use a script to extract them:

In the main manual we might be better off with a manually curated list and split off all the options to a reference document. Perhaps we can even include all options there and mark them as advanced there.

7

Thanks for the reply. Does this mean 1.7 may not even have the :tls_disabled_versions: option available in settings.yml?

Changed /etc/foreman-proxy/settings.yml to contain the following:

---
#replace default location of "settings.d"
:settings_directory: /etc/foreman-proxy/settings.d

:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:daemon: true
:ssl_certificate: /var/lib/puppet/ssl/certs/ourforeman.localdomain.pem
:daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
:ssl_private_key: /var/lib/puppet/ssl/private_keys/ourforeman.localdomain.pem
:https_port: 8443
:log_file: /var/log/foreman-proxy/proxy.log
:virsh_network: default
:tls_disabled_versions: 1.1

I then restarted “httpd” and ran “openssl s_client -connect gppdev1fore1:8443 -tls1_1” but the handshake still worked:

CONNECTED(00000003)
depth=1 CN = Puppet CA: gppdev1fore1.gpp
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
...
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3941 bytes and written 381 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
...

Regarding blocking other hosts by using :trusted_hosts: " in settings.yml, is the list of servers under :trusted_hosts: need to be indented?

Ex.

:trusted_hosts:
- machine1.localdomain
- machine2.localdomain

or

:trusted_hosts:
  - machine1.localdomain
  - machine2.localdomain

One thing I forgot to mention - our foreman server is also the smart-proxy.

Thanks!

8

Putting in the correct text so it appears correct in the text:
indent preformatted text by 4 spaces
:trusted_hosts:
- ourforeman.localdomain

or

indent preformatted text by 4 spaces
:trusted_hosts:
  - ourforeman.localdomain
9

Correct. I’ve updated Bug #21350: Allow restricting TLS version - Smart Proxy - Foreman to set the Fixed in version (1.17.0).

10

Thanks! We are still using 1.7 and upgrading would take time to implement. We’re going to allow 8443 from within the foreman server only thru iptables.

11

I could not find this at first, but I was only looking in the katello part of the manual, not the foreman manual. I did dot think of this (as the katello manual looks as a kind of replacement, but with the katello integration in foreman included).