How to disable weak encryption (SSL 2.0 and SSL 3.0) on Red Hat Satellite

Solution Verified - Updated -

Red Hat Insights can detect this issue

Proactively detect and remediate issues impacting your systems.
View matching systems and remediation

Environment

  • Red Hat Satellite 5
  • Red Hat Satellite 6

Issue

  • My Satellite has failed a Nessus scan due to SSL vulnerabilities, how can I disable weak encryption?
  • Security requires me to disable weak encryption (SSL 2.0 and SSL 3.0) on Red Hat Satellite
  • What is the impact of disabling weak encryption on Satellite?

Resolution

Supported Versions

Red Hat Satellite 5

  1. Make a backup of ssl.conf and edit the original
    Satellite 5.2 and earlier: /etc/rhn/satellite-httpd/conf.d/ssl.conf
    Satellite 5.3 and later: /etc/httpd/conf.d/ssl.conf

  2. Comment out (by prefixing with "#"), or remove entries for SSLProtocol

  3. Disable weak encryption by including the following line

    SSLProtocol all -SSLv2 -SSLv3
    
  4. Restart httpd:

    # service httpd restart
    
  • There is no loss of functionality in the webui or client updates and configuration, as the sessions will not have expired.

Red Hat Satellite 6.4 and later

Please refer to the official documentation:

Chapter 7. Disabling Weak Encryption

Red Hat Satellite 6.3.1 and 6.2.15

Satellite 6.2.15 and 6.3.1 both include functionality that allows configuration via the custom-hiera.yml overrides file as detailed in the documentation here

Via this mechanism we you can disable weak encryption by editing the /etc/foreman-installer/custom-hiera.yaml file.

  1. Edit /etc/foreman-installer/custom-hiera.yaml
  2. For Satellite, add the following entries:

    # Foreman Proxy
    foreman_proxy::tls_disabled_versions: ['1.1']
    
    # Dynflow
    foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']
    
    # Puppet 3
    puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'
    
    # Apache
    apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2']
    
    # Tomcat / Candlepin
    candlepin::tls_versions: ['1.2']
    
    # QPID Dispatch
    foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2']
    foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'
    

    Satellite 6.2.15 on RHEL 6

  • Due to limitations in Ruby 1.8.7 when handling arrays, following workaround has to be applied for Dynflow:

    foreman_proxy::plugin::dynflow::tls_disabled_versions: ["['1.0', '1.1']"]
    

    Otherwise you will get the following error:

     [root@satellite6 ~]# satellite-installer
     Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core/launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError) /Stage[main]/Foreman_proxy::Plugin::Dynflow/Service[smart_proxy_dynflow_core]/ensure: change from stopped to running failed: Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError)
    

More details can be found in BZ#1598331

  1. For Capsules, add the above entries but also the following:

    pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"
    
  2. In case of puppet4 Edit /etc/puppetlabs/puppetserver/conf.d/webserver.conf and add to the webserver: block:

    ssl-protocols: ["TLSv1.2"]
    
  • If you have configured puppet 3, edit /etc/foreman-installer/custom-hiera.yaml

    # Foreman Proxy
    foreman_proxy::tls_disabled_versions: ['1.1']
    
    # Dynflow
    foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']
    
    # Puppet 3
    puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'
    
    # Apache
    apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2']
    
    # Tomcat / Candlepin
    candlepin::tls_versions: ['1.2']
    
    # QPID Dispatch
    foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2']
    foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'
    
    # PULP
    pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"
    
  1. Run satellite-installer with no arguments to apply the updated overridden configuration.
  2. Restart services with katello-service restart

NOTE For puppet 3, We need to run

# satellite-installer -S capsule --disable-system-checks

NOTE: This will secure all services except for qpid-dispatch-router which will gain TLS 1.2 support with the release of Satellite 6.3.2 in June 2018. Customers who require full TLS compliant services will be required to upgrade to Satellite 6.3.2 when available. This update will not be available on 6.2 or prior versions. More information can be found in the bugzilla here: Bugzilla 1553875

NOTE: Currently the qpidd service running in Satellite does not support cipher suite restrictions but is restricted to only accept connections from localhost. We have no plans to add support for cipher suite restrictions to qpidd directly.

Red Hat Satellite 6.2.14 and earlier

  1. Make a backup of /etc/httpd/conf.d/ssl.conf and edit the original
  2. Comment out (by prefixing with "#"), or remove entries for SSLProtocol
  3. Ensure the following line is included:

    SSLProtocol all -SSLv2 -SSLv3
    
  4. Find the other files generated by katello that need to be updated

    # grep -ri sslprotocol /etc/httpd/conf.d
    
  5. For each file listed that has +SSLv3, such as this example:

    /etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             -ALL +SSLv3 +TLSv1
    /etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
    

    make a backup of the file

    # cp /etc/httpd/conf.d/25-puppet.conf{,.poodlebkp}
    

    then replace it with -SSLv3 to look like this when you re-run the grep -ri sslprotocol /etc/httpd/conf.d command :

    /etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             -ALL -SSLv3 +TLSv1
    /etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
    

    Note: This procedure needs to be repeated every time you run katello-installer; this requirement will be removed in a future errata.

  6. Restart httpd :

    # service httpd restart
    
  • As with the other releases, no loss of functionality is to be expected in the web interface or client updates and configuration as the sessions will not have expired
  • Note: With external capsules, a full restart may be required to restart all services

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments