Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-7724

Connect pcsd TLS configuration to RHEL crypto policies

XMLWordPrintable

    • pcs-0.11.6-6.el9
    • None
    • Moderate
    • rhel-sst-high-availability
    • ssg_filesystems_storage_and_HA
    • 13
    • 19
    • 3
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .TLS cipher list now defaults to system-wide crypto policy

      Previously, the `pcsd` TLS cipher list was set to `DEFAULT:!RC4:!3DES:@STRENGTH` by default. With this update, the cipher list is defined by the system-wide crypto policy by default. The TLS ciphers accepted by the `pcsd` daemon might change with this upgrade, depending on the currently set crypto policy. For more information about the crypto policies framework, see the `crypto-policies`(7) man page.
      Show
      .TLS cipher list now defaults to system-wide crypto policy Previously, the `pcsd` TLS cipher list was set to `DEFAULT:!RC4:!3DES:@STRENGTH` by default. With this update, the cipher list is defined by the system-wide crypto policy by default. The TLS ciphers accepted by the `pcsd` daemon might change with this upgrade, depending on the currently set crypto policy. For more information about the crypto policies framework, see the `crypto-policies`(7) man page.
    • Done
    • None

      Description of problem:
      Currently, it is possible to configure TLS ciphers and other options used by pcsd in /etc/sysconfig/pcsd. There is a default value hardcoded in pcsd source. RHEL (and Fedora) provides a system-wide crypto policies framework, which allows to configure TLS settings in one place for the entire OS and all applications. This has a benefit of easy management, when disabling a weak cipher can be done in a single place. Pcsd should connect to this framework.

      Version-Release number of selected component (if applicable):
      pcs-0.11.7

      How reproducible:
      always, easily

      Steps to Reproduce:
      1. update-crypto-policies --set DEFAULT
      2. nmap -p 2224

      {pcsd node} --script +ssl-enum-ciphers
      3. update-crypto-policies --set FIPS
      4. nmap -p 2224 {pcsd node}

      --script +ssl-enum-ciphers

      Actual results:
      TLS ciphers used by pcsd do not depend on the current crypto policy

      Expected results:
      TLS ciphers used by pcsd are set by the current crypto policy

      Additional info:
      nmap-7.91-12.el9 doesn't show TLSv1.3, use nmap-7.93-2.fc38

      Proposed solution:
      Make 'PROFILE=SYSTEM' the default for PCSD_SSL_CIPHERS

              cluster-qe Cluster QE
              tojeline@redhat.com Tomas Jelinek
              Tomas Jelinek Tomas Jelinek
              Michal Mazourek Michal Mazourek
              Steven Levine Steven Levine
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: