Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-19387

Inconsistent Cipher Suite Visibility Between Tomcat Configuration and Nmap Scan

XMLWordPrintable

    • None
    • None
    • None
    • None

      Description of problem:
      Inconsistent Cipher Suite Visibility Between Tomcat Configuration and Nmap Scan
      The Tomcat configuration is set up to include all the latest cipher suites for secure communication. However, when performing a scan using Nmap, only two cipher suites are visible.

      Version-Release number of selected component (if applicable):
      satellite-6.13.1-1.el8
      candlepin-4.2.13-1.el8

      How reproducible:
      new installation

      Steps to Reproduce:
      1.
      2.
      3.

      Actual results:

      1. cat /usr/share/foreman-installer/modules/candlepin/manifests/params.pp
      2. Candlepin params
        #
      3. @api private
        class candlepin::params {
      4. this comes from keystore
        $db_password = extlib::cache_data('foreman_cache_data', 'candlepin_db_password', extlib::random_password(32))

      $ciphers = [
      'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
      'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
      'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
      'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
      ]
      }

      1. cat /etc/tomcat/server.xml |grep -iE "Connector port=" -A 21
        <Connector port="23443"
        address="localhost"
        protocol="HTTP/1.1"
        SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="want"
        sslProtocol="TLSv1.2"
        sslEnabledProtocols="TLSv1.2"
        keystoreFile="/etc/candlepin/certs/keystore"
        keystorePass="DsiYgkYyusdsdsdsdsdhajzsdsdsd3xnC"
        keystoreType="PKCS12"
        truststoreFile="/etc/candlepin/certs/truststore"
        truststorePass="3e4CjHpcuAAAAAAAA9MrBBBBZZFZ"
        ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
        TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
        TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" />
      1. nmap --script ssl-enum-ciphers -p 23443 localhost

      PORT STATE SERVICE
      23443/tcp open unknown

      ssl-enum-ciphers:
      TLSv1.2:
      ciphers:
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
      compressors:
      NULL
      cipher preference: client
      warnings:
      Key exchange (secp256r1) of lower strength than certificate key
      _ least strength: A

      Expected results:

      It is important to have a visible list of ciphers available so that we can easily remove or add weak or strong ciphers as per our requirements.

      Additional info:

              jira-bugzilla-migration RH Bugzilla Integration
              rhn-support-gpayelka Ganesh Payelkar
              RH Bugzilla Integration RH Bugzilla Integration
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: