Fixes #39405 - Add tls_min_version and tls_ciphers settings#947
Fixes #39405 - Add tls_min_version and tls_ciphers settings#947adamlazik1 wants to merge 1 commit into
Conversation
|
Since tls_disabled_ciphers became dead code because of tls_ciphers, I decided to remove the deprecated opts in the same PR. |
ekohl
left a comment
There was a problem hiding this comment.
This is a breaking change so perhaps this is good to share in the community. Perhaps an upstream RFC, even if it's just informational? Then in the release note you can refer to it.
|
|
https://github.com/theforeman/puppet-candlepin/blob/033a4f1d8d1e5bdfefdc9f3d01ebb9fe374ab747/spec/acceptance/basic_candlepin_spec.rb#L14-L28 is my tip on how to verify the outcome. |
adamruzicka
left a comment
There was a problem hiding this comment.
Seems to work well, except for the empty string.
For what I checked see https://gist.github.com/adamruzicka/4b6370339dd36b9f9836aeba2080f40a . There are more combinations that could be made, but the essentials should be covered.
I'd say yes. |
|
An array with arbitrary values can be passed in as a value for |
And I also found https://testssl.sh/ |
| :SSLCiphers => CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers, | ||
| :SSLOptions => build_ssl_options, | ||
| :SSLCiphers => tls_ciphers, | ||
| :SSLMinVersion => resolve_tls_min_version, |
There was a problem hiding this comment.
If we set crypto-policy to DEFAULT:TLS13-ONLY (TLS13-ONLY being a custom subpolicy) but in the config we set tls_min_version to 1.2, this would keep the correct cipher set but would degrade TLS min version to 1.2 (in conflict with crypto-policies).
There was a problem hiding this comment.
Chmm, in theory we could go back to the old approach of disabling individual versions which should interact with crypto policies in a slightly better way
There was a problem hiding this comment.
I think it's a bit of an edge case. I'd prefer to have 2 use cases:
- crypto-policies (RPM-based installs)
- explicitly configured (where crypto-policies is unavailable, like Debian, FreeBSD and Windows)
The case where you configure 1 option, but not the other is IMHO up to the user who does that.
There was a problem hiding this comment.
We can keep min_tls version in repo and remove it in the foreman-packaging rpm patch so that rpm builds rely only on crypto policies. Would that work @adamruzicka @ekohl ?
There was a problem hiding this comment.
I'd prefer to have as few patches in packaging as possible. How about making PROFILE=SYSTEM special and refusing to start if tls_ciphers == 'PROFILE=SYSTEM' and tls_min_version is set?
There was a problem hiding this comment.
Agree, and please add a test for it.
There was a problem hiding this comment.
We can keep min_tls version in repo and remove it in the foreman-packaging rpm patch so that rpm builds rely only on crypto policies.
If we're confident enough in the auto-detection then we wouldn't need any packaging patch. I'd be OK with that. Emitting a log message on startup that can be asserted in automated tests is probably enough.
I'd prefer to have as few patches in packaging as possible. How about making
PROFILE=SYSTEMspecial and refusing to start iftls_ciphers == 'PROFILE=SYSTEM'andtls_min_versionis set?
Is it really a problem? If the user configures it that way, what will break? If foremanctl doesn't provide you any option to set that then IMHO it's really up to the user. Perhaps emit a log warning?
There was a problem hiding this comment.
I'd prefer to have as few patches in packaging as possible. How about making PROFILE=SYSTEM special and refusing to start if tls_ciphers == 'PROFILE=SYSTEM' and tls_min_version is set?
Applied.
| :SSLOptions => ssl_options, | ||
| :SSLCiphers => CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers, | ||
| :SSLOptions => build_ssl_options, | ||
| :SSLCiphers => tls_ciphers, |
There was a problem hiding this comment.
This works for TLS 1.2 but not for TLS 1.3. Unfurtunately, SSL_CTX_set_cipher_list() is TLS 1.2 only and SSL_CTX_set_ciphersuites() is TLS 1.3 only and the Webrick/Ruby stack under the hood only seems to do the former.
The same hack as in https://github.com/theforeman/smart-proxy/pull/947/changes#diff-54572e87725df68a63244713ca93aa40c81de79d76cba589c0a1d0329812db04R160 might help.
There was a problem hiding this comment.
This may make your work easier: warmcat/libwebsockets#1440
There was a problem hiding this comment.
Currently trying to resolve this, for now I have no idea why the tests fail. I need to investigate further.
9045fd8 to
d1eb537
Compare
|
The CI failure is real, I've just reproduced on Debian with the current PR version. The proxy refuses to start because We probably need to check whether Interestingly, it seems that Red Hat's version of Ruby has this patched in earlier Ruby versions (https://gitlab.com/redhat/centos-stream/rpms/ruby/-/commit/42815870), which is why it works on RHEL with Ruby 3.0.7, but fails in CI on Ruby 3.0 and 3.1 (upstream, it got patched in 3.2 ruby/openssl#493). |
Applied. Went with this suggestion. |
lhellebr
left a comment
There was a problem hiding this comment.
More issues found - I haven't really tested yet but this seems sus on reading. These things are getting quite complicated.
| rescue OpenSSL::SSL::SSLError | ||
| nil | ||
| end | ||
| elsif settings.tls_ciphers && settings.tls_min_version == '1.3' |
There was a problem hiding this comment.
-
What if the user didn't specify TLS 1.3 explicitly (thus it's still allowed together with 1.2) but has specified some constraints for a cipher that is applicable to TLS 1.3? Wouldn't then those be ignored on a machine without
ciphersuites=and wouldn't TLS 1.3 still run, but with any cipher available, even those that the user forbid? -
What if the user allows both TLS 1.2 and 1.3 but specifies a cipher only recognized by
ciphersuites=(because it's only in TLS 1.3)?ciphers=would return nil and allow any TLS 1.2 cipher, wouldn't it?
There was a problem hiding this comment.
1
You are right. And to be honest I have no idea how to solve that. Consulting AI gave me these options:
a. Widen the elsif guard to settings.tls_ciphers (without the tls_min_version check) — raises whenever any explicit cipher is set and ciphersuites= is absent. This is safe but means PROFILE=SYSTEM without tls_min_version also refuses to start on Ruby 3.0, which is overly strict.
b. Accept the limitation and document it — on Ruby 3.0 without the Red Hat backport, TLS 1.3 cipher restrictions from tls_ciphers are silently not applied. Practically, PROFILE=SYSTEM is only meaningful on RHEL where ciphersuites= is always available anyway, so real-world exposure is low.
To me, b. seems more viable. Let me know your thoughts, or if you know about another solution.
2
Added logger warning for this case, let me know if I should change it to exception.
| nil | ||
| end | ||
| elsif settings.tls_ciphers && settings.tls_min_version == '1.3' | ||
| raise "tls_min_version '1.3' is configured but this Ruby/OpenSSL build does not support TLS 1.3. " \ |
There was a problem hiding this comment.
Misleading message. It supports TLS 1.3 but doesn't support constraining it by ciphersuites=.
7048aa0 to
b7d2025
Compare
|
Removed the packaging patch inclusion. |
|
ACK — Verified on RHEL 9.8 (Satellite, packit build I'm ACKing this PR because the known issues listed below are not regressions — the same behavior exists in the current code without this PR. However, I want to be transparent that this PR introduces a cipher configuration interface that does not fully deliver on its promise: an admin setting What was testedTested Security concerns (not regressions, tracked separately)
Notes
|
Removed ssl_disabled_ciphers and tls_disabled_versions.
|
Squashed. |
Made with Cursor.