Bug #17078
closed
smart_proxy_dynflow_core weak cipher
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1388198
Description of problem:Security scan detected a weak cipher within smart_proxy_dynflow_core service (port 8008)
Version-Release number of selected component (if applicable): 0.1.3-1.el7
How reproducible:
ALWAYS
Steps to Reproduce:
1. systemctl start smart_proxy_dynflow_core.service
2. nmap --script +ssl-enum-ciphers localhost -p 8008
- nmap --script +ssl-enum-ciphers localhost -p 8008
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-24 13:44 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (2000s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
8008/tcp open http
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: weak
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
Expected results: |_ least strength: strong
Additional info:
Would be nice to control both the protocols and ciphers that are used.
We should take the proxy settings as a defualt of disabled ciphers
https://github.com/theforeman/puppet-foreman_proxy/blob/91e5105c78a7b18e363784729fbc45dc5ff735a0/manifests/init.pp#L70
Updated by Ivan Necas over 7 years ago
- Subject changed from smart_proxy_dynflow_core weak cipher to smart_proxy_dynflow_core weak cipher
- Target version set to 1.4.1
Updated by Adam Ruzicka over 7 years ago
- Project changed from foreman-tasks to Foreman Remote Execution
- Category set to Smart Proxy Dynflow
- Status changed from New to Ready For Testing
- Assignee set to Adam Ruzicka
- Pull request https://github.com/theforeman/smart_proxy_dynflow/pull/27 added
Changing the project to make theforeman-bot happy
Updated by Ivan Necas over 7 years ago
- Status changed from Ready For Testing to Closed
Updated by Ivan Necas over 7 years ago
- Target version changed from 1.4.1 to 1.3.2
Updated by Sean O'Keeffe almost 7 years ago
- Related to Feature #19956: Installer should allow ssl_disabled_ciphers to be set for dynflow_core added