<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks!<br>
Pushed to master:<br>
<div class="comment searchable">
<p>
commit <a
href="https://fedorahosted.org/pki/changeset/89211b9915e9c3e034d311ac0fa7091e9e08bde8/"
class="changeset" title="Ticket 1566 on HSM, non-CA subystem
installations failing while trying to ...">89211b9915e9c3e034d311ac0fa7091e9e08bde8</a>
Author: Christina Fu <cfu@…>
Date: Wed Aug 19 13:52:53 2015 +0200
</p>
<p>
Ticket 1566 on HSM, non-CA subystem installations failing while
trying to join security domain
</p>
<blockquote>
<p>
Investigation shows that this issue occurs when the non-CA
subsystem's SSL server and client keys are also on the HSM.
While browsers (on soft token) have no issue connecting to any
of the subsystems on HSM, subsystem to subsystem communication
has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We
have decided to turn off the TLS_ECDHE_RSA_* ciphers by
default (can be manually turned on if desired) based on the
fact that: 1. The tested HSM seems to have issue with them
(will still continue to investigate) 2. While the Perfect
Forward Secrecy provides added security by the TLS_ECDHE_RSA_*
ciphers, each SSL session takes 3 times longer to estabish. 3.
The TLS_RSA_* ciphers are adequate at this time for the CS
system operations<br>
</p>
<br>
A new ticket has been filed for further investigation on hsm:
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/pki/ticket/1576">https://fedorahosted.org/pki/ticket/1576</a> substem -> subsytem
SSL handshake issue with TLS_ECDHE_RSA_* on Thales HSM
</blockquote>
</div>
Christina<br>
<br>
<div class="moz-cite-prefix">On 08/19/2015 03:02 PM, Matthew Harmsen
wrote:<br>
</div>
<blockquote cite="mid:55D4FCD8.9030900@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 08/19/15 13:46, Christina Fu
wrote:<br>
</div>
<blockquote cite="mid:55D4DD0B.8020609@redhat.com" type="cite">this
patch is to address: <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://fedorahosted.org/pki/ticket/1566">https://fedorahosted.org/pki/ticket/1566</a>
non-CA subystem installations failing while trying to join
security domain <br>
<br>
Please note that the two TLS_RSA ciphers have been left under
ecc for installation in place of the TLS_ECDHE_RSA ones. <br>
<br>
thanks, <br>
Christina <br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Pki-devel@redhat.com">Pki-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-devel">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
(1) in pkiparser.py for ECC, +TLS_RSA_WITH_AES_256_CBC_SHA256 and
+TLS_RSA_WITH_AES_128_GCM_SHA256 are turned on (this is for
installation)<br>
(2) in ciphers.info, for ECC, you have
-TLS_RSA_WITH_AES_256_CBC_SHA256 and
-TLS_RSA_WITH_AES_128_GCM_SHA256 are turned off for
sslRangeCiphers=...<br>
<br>
After conversation, it is understood that the signs should be
flipped in ciphers.info to match these changes in pkiparser.py.<br>
<br>
Conditional ACK based upon correcting ciphers.info.<br>
</blockquote>
<br>
</body>
</html>