How do I enable ECDHE ciphers with pcsd in a RHEL 7 Pacemaker cluster?

Solution Verified - Updated -

Issue

  • How do I enable elliptic curve Diffie-Hellman ephemeral (ECDHE) key exchange ciphers for the pcsd daemon?
  • Ephemeral ECDH ciphers don't work with pcsd on RHEL 7.
  • I'm unable to connect to the pcsd port using an ECDHE cipher.

    # openssl s_client -connect localhost:2224 -cipher ECDHE-ECDSA-AES128-SHA256 -tls1_2
    140342324156304:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
    140342324156304:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
    CONNECTED(00000003)
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID: 
        Session-ID-ctx: 
        Master-Key: 
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1599799544
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    
  • The openssl ciphers command shows several ECDHE ciphers available for TLSv1.2, but nmap --script +ssl-enum-ciphers does not show any of them.

    # openssl ciphers -v | grep ECDHE | grep 'TLSv1\.2'
    ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
    ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
    ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
    ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
    ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
    
    # nmap -p 2224 -Pn localhost --script +ssl-enum-ciphers
    ...
    PORT     STATE SERVICE
    2224/tcp open  efi-mg
    | ssl-enum-ciphers: 
    |   TLSv1.2: 
    |     ciphers: 
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_RSA_WITH_IDEA_CBC_SHA - weak
    |       TLS_RSA_WITH_SEED_CBC_SHA - strong
    |     compressors: 
    |       NULL
    |_  least strength: weak
    

Environment

  • Red Hat Enterprise Linux 7 (with the High Availability Add-on)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In