How to disable weak encryption (SSL 2.0 and SSL 3.0) on Red Hat Satellite

Resolution

Supported Versions

• Only versions of Satellite running on at least RHEL 6 are currently supported.
• In practice, this means that the earliest supported version of Satellite is 5.6
  • Please review the Red Hat Satellite and Proxy Server Life Cycle

Red Hat Satellite 5

1. Make a backup of ssl.conf and edit the original
   Satellite 5.2 and earlier: /etc/rhn/satellite-httpd/conf.d/ssl.conf
   Satellite 5.3 and later: /etc/httpd/conf.d/ssl.conf

2. Comment out (by prefixing with "#"), or remove entries for SSLProtocol

3. Disable weak encryption by including the following line

   SSLProtocol all -SSLv2 -SSLv3
   

4. Restart httpd:

   # service httpd restart
   

• There is no loss of functionality in the webui or client updates and configuration, as the sessions will not have expired.

Red Hat Satellite 6.4 and later

Please refer to the official documentation:

Chapter 7. Disabling Weak Encryption

Red Hat Satellite 6.3.1 and 6.2.15

Satellite 6.2.15 and 6.3.1 both include functionality that allows configuration via the custom-hiera.yml overrides file as detailed in the documentation here

Via this mechanism we you can disable weak encryption by editing the /etc/foreman-installer/custom-hiera.yaml file.

1. Edit /etc/foreman-installer/custom-hiera.yaml

2. For Satellite, add the following entries:

   # Foreman Proxy
   foreman_proxy::tls_disabled_versions: ['1.1']
   
   # Dynflow
   foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']
   
   # Puppet 3
   puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'
   
   # Apache
   apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2']
   
   # Tomcat / Candlepin
   candlepin::tls_versions: ['1.2']
   
   # QPID Dispatch
   foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2']
   foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'
   

   Satellite 6.2.15 on RHEL 6

• Due to limitations in Ruby 1.8.7 when handling arrays, following workaround has to be applied for Dynflow:

  foreman_proxy::plugin::dynflow::tls_disabled_versions: ["['1.0', '1.1']"]
  

  Otherwise you will get the following error:

   [root@satellite6 ~]# satellite-installer
   Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core/launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError) /Stage[main]/Foreman_proxy::Plugin::Dynflow/Service[smart_proxy_dynflow_core]/ensure: change from stopped to running failed: Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError)
  

More details can be found in BZ#1598331

1. For Capsules, add the above entries but also the following:

   pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"
   

2. In case of puppet4 Edit /etc/puppetlabs/puppetserver/conf.d/webserver.conf and add to the webserver: block:

   ssl-protocols: ["TLSv1.2"]
   

• If you have configured puppet 3, edit /etc/foreman-installer/custom-hiera.yaml

  # Foreman Proxy
  foreman_proxy::tls_disabled_versions: ['1.1']
  
  # Dynflow
  foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']
  
  # Puppet 3
  puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'
  
  # Apache
  apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2']
  
  # Tomcat / Candlepin
  candlepin::tls_versions: ['1.2']
  
  # QPID Dispatch
  foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2']
  foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'
  
  # PULP
  pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"
  

3. Run satellite-installer with no arguments to apply the updated overridden configuration.
4. Restart services with katello-service restart

NOTE For puppet 3, We need to run

# satellite-installer -S capsule --disable-system-checks

NOTE: This will secure all services except for qpid-dispatch-router which will gain TLS 1.2 support with the release of Satellite 6.3.2 in June 2018. Customers who require full TLS compliant services will be required to upgrade to Satellite 6.3.2 when available. This update will not be available on 6.2 or prior versions. More information can be found in the bugzilla here: Bugzilla 1553875

NOTE: Currently the qpidd service running in Satellite does not support cipher suite restrictions but is restricted to only accept connections from localhost. We have no plans to add support for cipher suite restrictions to qpidd directly.

Red Hat Satellite 6.2.14 and earlier

1. Make a backup of /etc/httpd/conf.d/ssl.conf and edit the original
2. Comment out (by prefixing with "#"), or remove entries for SSLProtocol

3. Ensure the following line is included:

   SSLProtocol all -SSLv2 -SSLv3
   

4. Find the other files generated by katello that need to be updated

   # grep -ri sslprotocol /etc/httpd/conf.d
   

5. For each file listed that has +SSLv3, such as this example:

   /etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             -ALL +SSLv3 +TLSv1
   /etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
   

   make a backup of the file

   # cp /etc/httpd/conf.d/25-puppet.conf{,.poodlebkp}
   

   then replace it with -SSLv3 to look like this when you re-run the grep -ri sslprotocol /etc/httpd/conf.d command :

   /etc/httpd/conf.d/25-puppet.conf:  SSLProtocol             -ALL -SSLv3 +TLSv1
   /etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
   

   Note: This procedure needs to be repeated every time you run katello-installer; this requirement will be removed in a future errata.

6. Restart httpd :

   # service httpd restart
   

• As with the other releases, no loss of functionality is to be expected in the web interface or client updates and configuration as the sessions will not have expired
• Note: With external capsules, a full restart may be required to restart all services
  • Please review solutions/1187883 for more detail.