Installing Tentacle on a RHEL machine with Fips enabled and crypto policies restricting to TLS 1.2 still allows connections over TLS 1.0 and 1.1 #468
Description
Team
- I've assigned a team label to this issue
What happened?
When installing Tentacle on an RHEL 8 (tested 8.2) server, it doesn't appear the TLS settings are being applied as specified at a system level.
Using update-crypto-policies --set <policy> and using the DEFAULT policy should mean the tentacle port (e.g. 10933) will not use TLS 1.0 as listed here:
According to that configuration, only TLS 1.2 and above should be allowed system-wide, but when checking protocol levels available over the port, we're seeing TLS 1.0, 1.1, 1.2 still available.
Use the following to test the connection on the server itself after creating a new tentacle instance:
openssl s_client -connect localhost:10933 -quiet -tls1_2
openssl s_client -connect localhost:10933 -quiet -tls1_1
openssl s_client -connect localhost:10933 -quiet -tls1
Questions
Is there somewhere else this should be configured in RHEL to restrict tentacle communications or another way this should be done?
Why is Tentacle not respecting the OS-level settings? (Some discussion in slack threads linked)
Why does Tentacle specify TLS versions on the ServicePointManager, and is this still required?
Reproduction
- Create a RHEL 8 machine (VM in cloud/docker image do not run the below steps locally)
- (Note Fips may not be required and the below steps had some issues locally) Enable Fips
- https://www.thegeekdiary.com/how-to-make-centos-rhel-7-fips-140-2-compliant/
OR - fips-mode-setup --enable
- reboot
- https://www.thegeekdiary.com/how-to-make-centos-rhel-7-fips-140-2-compliant/
- update openssl.cnf
/etc/pki/tls/openssl.cnf
- update-crypto-policies --set DEFAULT (Should require TLS 1.2)
Configure tentacle will not work as openssl cert generation is disabled with fips, run the below code to configure a tentacle
wget https://rpm.octopus.com/tentacle.repo -O /etc/yum.repos.d/tentacle.repo
yum install tentacle -y
# -- Generate a 100 year certificate with a compliant crypto scheme
openssl req -newkey rsa:4096 -x509 -sha512 -days 36500 -nodes -out certificate.pem -keyout privatekey.pem
# -- Convert pem to pfx
openssl pkcs12 -export -out generated.pfx -inkey privatekey.pem -in certificate.pem
# -- Configure tentacle (replicating what the configure-tentacle script does - default settings used).
/opt/octopus/tentacle/Tentacle create-instance --instance "Tentacle" --config "/etc/octopus/Tentacle/tentacle-Tentacle.config"
/opt/octopus/tentacle/Tentacle import-certificate --instance "Tentacle" --from-file=generated.pfx
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --app "/home/Octopus/Applications" --port 10933 --noListen False --reset-trust
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --trust SERVERCERTIFICATETHUMBPRINT
/opt/octopus/tentacle/Tentacle service --install --start --instance "Tentacle"
openssl s_client -connect localhost:10933 -quiet -tls1_2
openssl s_client -connect localhost:10933 -quiet -tls1_1
openssl s_client -connect localhost:10933 -quiet -tls1
Will still listen over TLS 1 and 1.1.
Error and Stacktrace
NAMore Information
Internal slack discussion:
https://octopusdeploy.slack.com/archives/C27FNL3QW/p1682578455691219
https://octopusdeploy.slack.com/archives/CG9E93KLJ/p1682579067675749
Zendesk ticket threads:
https://octopus.zendesk.com/agent/tickets/96548
https://octopus.zendesk.com/agent/tickets/101467
https://octopus.zendesk.com/agent/tickets/103405
https://octopus.zendesk.com/agent/tickets/111245
https://octopus.zendesk.com/agent/tickets/119557
This may be caused by the ServicePointManager.SecurityProtocol in Tentacle
Workaround
NA