[Pki-devel] [PATCH] Ticket 1566 on HSM, non-CA subystem installations failing, while trying to join security domain

Christina Fu cfu at redhat.com
Wed Aug 19 23:51:54 UTC 2015


Thanks!
Pushed to master:

commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8 
<https://fedorahosted.org/pki/changeset/89211b9915e9c3e034d311ac0fa7091e9e08bde8/> 
Author: Christina Fu <cfu@…> Date: Wed Aug 19 13:52:53 2015 +0200

Ticket 1566 on HSM, non-CA subystem installations failing while trying 
to join security domain

    Investigation shows that this issue occurs when the non-CA
    subsystem's SSL server and client keys are also on the HSM. While
    browsers (on soft token) have no issue connecting to any of the
    subsystems on HSM, subsystem to subsystem communication has issues
    when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to
    turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually
    turned on if desired) based on the fact that: 1. The tested HSM
    seems to have issue with them (will still continue to investigate)
    2. While the Perfect Forward Secrecy provides added security by the
    TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to
    estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the
    CS system operations


    A new ticket has been filed for further investigation on hsm:
    https://fedorahosted.org/pki/ticket/1576 substem -> subsytem SSL
    handshake issue with TLS_ECDHE_RSA_* on Thales HSM 

Christina

On 08/19/2015 03:02 PM, Matthew Harmsen wrote:
> On 08/19/15 13:46, Christina Fu wrote:
>> this patch is to address:
>> https://fedorahosted.org/pki/ticket/1566 non-CA subystem 
>> installations failing while trying to join security domain
>>
>> Please note that the two TLS_RSA ciphers have been left under ecc for 
>> installation in place of the TLS_ECDHE_RSA ones.
>>
>> thanks,
>> Christina
>>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
> (1) in pkiparser.py for ECC, +TLS_RSA_WITH_AES_256_CBC_SHA256 and 
> +TLS_RSA_WITH_AES_128_GCM_SHA256 are turned on (this is for installation)
> (2) in ciphers.info, for ECC, you have 
> -TLS_RSA_WITH_AES_256_CBC_SHA256 and -TLS_RSA_WITH_AES_128_GCM_SHA256 
> are turned off for sslRangeCiphers=...
>
> After conversation, it is understood that the signs should be flipped 
> in ciphers.info to match these changes in pkiparser.py.
>
> Conditional ACK based upon correcting ciphers.info.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150819/1eff2f06/attachment.htm>


More information about the Pki-devel mailing list