Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7724

Connect pcsd TLS configuration to RHEL crypto policies

XMLWordPrintable

    • pcs-0.11.6-6.el9
    • Normal
    • sst_high_availability
    • ssg_filesystems_storage_and_HA
    • 13
    • 19
    • 3
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Enhancement
    • Hide
      .TLS cipher list now defaults to system-wide crypto policy

      Previously, the `pcsd` TLS cipher list was set to `DEFAULT:!RC4:!3DES:@STRENGTH` by default. With this update, the cipher list is defined by the system-wide crypto policy by default. The TLS ciphers accepted by the `pcsd` daemon might change with this upgrade, depending on the currently set crypto policy. For more information about the crypto policies framework, see the `crypto-policies`(7) man page.
      Show
      .TLS cipher list now defaults to system-wide crypto policy Previously, the `pcsd` TLS cipher list was set to `DEFAULT:!RC4:!3DES:@STRENGTH` by default. With this update, the cipher list is defined by the system-wide crypto policy by default. The TLS ciphers accepted by the `pcsd` daemon might change with this upgrade, depending on the currently set crypto policy. For more information about the crypto policies framework, see the `crypto-policies`(7) man page.
    • Done
    • None

      Description of problem:
      Currently, it is possible to configure TLS ciphers and other options used by pcsd in /etc/sysconfig/pcsd. There is a default value hardcoded in pcsd source. RHEL (and Fedora) provides a system-wide crypto policies framework, which allows to configure TLS settings in one place for the entire OS and all applications. This has a benefit of easy management, when disabling a weak cipher can be done in a single place. Pcsd should connect to this framework.

      Version-Release number of selected component (if applicable):
      pcs-0.11.7

      How reproducible:
      always, easily

      Steps to Reproduce:
      1. update-crypto-policies --set DEFAULT
      2. nmap -p 2224

      {pcsd node} --script +ssl-enum-ciphers
      3. update-crypto-policies --set FIPS
      4. nmap -p 2224 {pcsd node}

      --script +ssl-enum-ciphers

      Actual results:
      TLS ciphers used by pcsd do not depend on the current crypto policy

      Expected results:
      TLS ciphers used by pcsd are set by the current crypto policy

      Additional info:
      nmap-7.91-12.el9 doesn't show TLSv1.3, use nmap-7.93-2.fc38

      Proposed solution:
      Make 'PROFILE=SYSTEM' the default for PCSD_SSL_CIPHERS

            cluster-qe Cluster QE
            tojeline@redhat.com Tomas Jelinek
            Tomas Jelinek Tomas Jelinek
            Michal Mazourek Michal Mazourek
            Steven Levine Steven Levine
            Votes:
            0 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: