Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-75931

Unable to block *CBC* ciphers using crypto policies [rhel-8]

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-8.10.z
    • crypto-policies
    • None
    • No
    • Low
    • rhel-security-crypto
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • Known Issue
    • Hide
      Cause: openssl 1.1 lacks a keyword to disable neither individual ciphers nor all CBC ciphers altogether
      Consequence: it's impossible to conveniently disable all CBC ciphers for openssl through crypto-policies
      Workaround: opting out of crypto-policies for openssl would let you configure the enabled ciphersuites to the extend of what's possible with openssl configuration
      Result: extra, unintended TLS 1.2 ciphersuites might fall victim of disabling ciphers due to insufficient granularity of ciphersuites for TLS 1.2
      Show
      Cause: openssl 1.1 lacks a keyword to disable neither individual ciphers nor all CBC ciphers altogether Consequence: it's impossible to conveniently disable all CBC ciphers for openssl through crypto-policies Workaround: opting out of crypto-policies for openssl would let you configure the enabled ciphersuites to the extend of what's possible with openssl configuration Result: extra, unintended TLS 1.2 ciphersuites might fall victim of disabling ciphers due to insufficient granularity of ciphersuites for TLS 1.2
    • Proposed
    • x86_64
    • None

      What were you trying to do that didn't work?

      I'm trying to add a block for cipher suites containing the string "CBC" from RHEL using the subpolicy method described in the documentation
      https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#customizing-system-wide-cryptographic-policies-with-subpolicies_using-the-system-wide-cryptographic-policies

      What is the impact of this issue to you?

      None, I have a workaround

      Please provide the package NVR for which the bug is seen:

      Name        : crypto-policies
      Version     : 20230731
      Release     : 1.git3177e06.el8
      Architecture: noarch

      How reproducible is this bug?:

      Every time

      Steps to reproduce

      1. Try any value combination in a subpolicy to eliminate the 6 ciphers:
            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
            TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
            TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A

      Expected results

      Discover the options to disable all 6 `CBC` cipher suites and not any others.

      Actual results

      No ciphers were being removed until I used `cipher = -AES` which excluded the CBC ciphers along with several others.

      A workaround for this issue is to remove the subpolicy (to avoid confusion) and append the following to the `/etc/crypto-policies/back-ends/openssl.config` file:

      `:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!AES128-SHA:!AES256-SHA`

              asosedki@redhat.com Alexander Sosedkin
              rhn-support-tasander Taft Sanders
              Aaron Ogburn
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: