Problem:
Our internal security group scanned the foreman server and it showed the following vulnerabilities:
TLS Server Supports TLS version 1.0
TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
TLS/SSL Server is enabling the BEAST attack
Expected outcome:
Using the command “openssl s_client -connect :8443 [OPTION]” should show a “handshake failure” message if [OPTION] is either -tls1 and -tls1_1. Getting a response using OPTION -tls1_2 is fine. The result of using OPTION -ssl2 or -ssl3 suffices.
Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)
# Use this option only if you need to strictly specify TLS versions to be
# disabled. SSLv3 and TLS v1.0 are always disabled and cannot be configured.
# Specify versions like: '1.1', or '1.2'
#:tls_disabled_versions: []
This option is available also from the puppet module, but not the installer and in the docs.
But even better you can block all unwanted connections:
# Hosts which the proxy accepts connections from
# commenting the following lines would mean every verified SSL connection allowed
# HTTPS: test the certificate CN
# HTTP: test the reverse DNS entry of the remote IP
#:trusted_hosts:
#- foreman.prod.domain
#- foreman.dev.domain
#to deny access to all hosts use:
#:trusted_hosts: []
This is set to the foreman host as default in current versions when using the installer.
We do have --foreman-proxy-tls-disabled-versions and --foreman-proxy-plugin-dynflow-tls-disabled-versions but both are advanced so --help won’t show them. You need --full-help.
I must admit I haven’t looked at what kafo-export-params but I observed the same thing. It looks like the manual is reflection of --help, not --full-help. We use a script to extract them:
In the main manual we might be better off with a manually curated list and split off all the options to a reference document. Perhaps we can even include all options there and mark them as advanced there.
I then restarted “httpd” and ran “openssl s_client -connect gppdev1fore1:8443 -tls1_1” but the handshake still worked:
CONNECTED(00000003)
depth=1 CN = Puppet CA: gppdev1fore1.gpp
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
...
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3941 bytes and written 381 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : DHE-RSA-AES256-SHA
...
Regarding blocking other hosts by using :trusted_hosts: " in settings.yml, is the list of servers under :trusted_hosts: need to be indented?
Thanks! We are still using 1.7 and upgrading would take time to implement. We’re going to allow 8443 from within the foreman server only thru iptables.
I could not find this at first, but I was only looking in the katello part of the manual, not the foreman manual. I did dot think of this (as the katello manual looks as a kind of replacement, but with the katello integration in foreman included).