How to disable weak encryption (SSL 2.0 and SSL 3.0) on Red Hat Satellite

Solution Verified - Updated -

Environment

  • Red Hat Satellite 5
  • Red Hat Satellite 6

Issue

  • My Satellite has failed a Nessus scan due to SSL vulnerabilities, how can I disable weak encryption?
  • Security requires me to disable weak encryption (SSL 2.0 and SSL 3.0) on Red Hat Satellite
  • What is the impact of disabling weak encryption on Satellite?

Resolution

Supported Versions

Red Hat Satellite 5

  1. Make a backup of ssl.conf and edit the original
    Satellite 5.2 and earlier: /etc/rhn/satellite-httpd/conf.d/ssl.conf
    Satellite 5.3 and later: /etc/httpd/conf.d/ssl.conf

  2. Comment out (by prefixing with "#"), or remove entries for SSLProtocol

  3. Disable weak encryption by including the following line

    SSLProtocol all -SSLv2 -SSLv3
    
  4. Restart httpd:

    # service httpd restart
    
  • There is no loss of functionality in the webui or client updates and configuration, as the sessions will not have expired.

Red Hat Satellite 6.4 and later

Please refer to the official documentation:

Chapter 7. Disabling Weak Encryption

Red Hat Satellite 6.3.1 and 6.2.15

Satellite 6.2.15 and 6.3.1 both include functionality that allows configuration via the custom-hiera.yml overrides file as detailed in the documentation here

Via this mechanism we you can disable weak encryption by editing the /etc/foreman-installer/custom-hiera.yaml file.

  1. Edit /etc/foreman-installer/custom-hiera.yaml
  2. For Satellite, add the following entries:

    # Foreman Proxy
    foreman_proxy::tls_disabled_versions: ['1.1']
    
    # Dynflow
    foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']
    
    # Puppet 3
    puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'
    
    # Apache
    apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2']
    
    # Tomcat / Candlepin
    candlepin::tls_versions: ['1.2']
    
    # QPID Dispatch
    foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2']
    foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'
    

    Satellite 6.2.15 on RHEL 6

- Due to limitations in Ruby 1.8.7 when handling arrays, following workaround has to be applied for Dynflow:

foreman_proxy::plugin::dynflow::tls_disabled_versions: ["['1.0', '1.1']"]

Otherwise you will get the following error:

[root@satellite6 ~]# satellite-installer
Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core/launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError)
/Stage[main]/Foreman_proxy::Plugin::Dynflow/Service[smart_proxy_dynflow_core]/ensure: change from stopped to running failed: Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core/launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError)

More details can be found in BZ#1598331

  1. For Capsules, add the above entries but also the following:

    pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"
    
  2. In case of puppet4 Edit /etc/puppetlabs/puppetserver/conf.d/webserver.conf and add to the webserver: block:

    ssl-protocols: ["TLSv1.2"]
    

* If you have configured puppet 3 Edit /etc/foreman-installer/custom-hiera.yaml

# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2']

# Tomcat / Candlepin
candlepin::tls_versions: ['1.2']

# QPID Dispatch
foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2']
foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'

# PULP
pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"
  1. Run satellite-installer with no arguments to apply the updated overridden configuration.
  2. Restart services with katello-service restart

NOTE For puppet 3, We need to run

# satellite-installer -S capsule --disable-system-checks

NOTE: This will secure all services except for qpid-dispatch-router which will gain TLS 1.2 support with the release of Satellite 6.3.2 in June 2018. Customers who require full TLS compliant services will be required to upgrade to Satellite 6.3.2 when available. This update will not be available on 6.2 or prior versions. More information can be found in the bugzilla here: Bugzilla 1553875

NOTE: Currently the qpidd service running in Satellite does not support cipher suite restrictions but is restricted to only accept connections from localhost. We have no plans to add support for cipher suite restrictions to qpidd directly.

Red Hat Satellite 6.2.14 and earlier

  1. Make a backup of /etc/httpd/conf.d/ssl.conf and edit the original
  2. Comment out (by prefixing with "#"), or remove entries for SSLProtocol
  3. Ensure the following line is included:

    SSLProtocol all -SSLv2 -SSLv3
    
  4. Find the other files generated by katello that need to be updated

    # grep -ri sslprotocol /etc/httpd/conf.d
    
  5. For each file listed that has +SSLv3, such as this example:

    /etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             -ALL +SSLv3 +TLSv1
    /etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
    

    make a backup of the file

    # cp /etc/httpd/conf.d/25-puppet.conf{,.poodlebkp}
    

    then replace it with -SSLv3 to look like this when you re-run the grep -ri sslprotocol /etc/httpd/conf.d command :

    /etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             -ALL -SSLv3 +TLSv1
    /etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
    

    Note: This procedure needs to be repeated every time you run katello-installer; this requirement will be removed in a future errata.

  6. Restart httpd :

    # service httpd restart
    
  • As with the other releases, no loss of functionality is to be expected in the web interface or client updates and configuration as the sessions will not have expired
  • Note: With external capsules, a full restart may be required to restart all services

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

13 Comments

right path of config file is /etc/httpd/conf.d/ssl.conf (Satellite Version 5.6)

That path is already listed under the "... 5.3 and later" section.

Thanks for your comment - we have worked on rewriting this old knowledge base with current information.

So what happens next time we run the satellite install.pl to upgrade the satellite server?

What about other components of Satellite -- like jabberd? Can they be configured to not use SSLv3?

Exactly, jabberd is still using vulnerable SSLv3. Poodle is around for more than 1 month. Our security division is chasing me for this issue.

Marcin, if you haven't already, you should open up a support case for your issue. Please be sure to point out this article and how it is believed that not all the Satellite components are addressed here like they should be.

Yeah, already done. I will share the sollution.. It is strange that nobody form RH havent picked that already.

What was the solution?

And we on satellite 6 are still stuck with this being overwritten on upgrade? This has been out for a long time, making the system vulnerable again is just terrible practice. I see 'Note: This procedure needs to be repeated every time you run katello-installer, this requirement will be removed in a future errata.' Where is that future errata?

This does not appear to work on RHEL7 with Sat6.2. The ssl.conf is not present in the path specified.

This path and change appeared to work as desired:

/etc/httpd/conf.modules.d/ssl.conf

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

NB. this breaks command line yum functionality in client machines.

How does this break cmdline yum on clients? Are you talking about those clients which are fed by satellite for content?

It seems like custom-hiera.yaml is missing the -SSLv2 on the lines with -SSLv3.