Installing Tentacle on a RHEL machine with Fips enabled and crypto policies restricting to TLS 1.2 still allows connections over TLS 1.0 and 1.1

[IsaacCalligeros95]

Team

• I've assigned a team label to this issue

What happened?

When installing Tentacle on an RHEL 8 (tested 8.2) server, it doesn't appear the TLS settings are being applied as specified at a system level.
Using update-crypto-policies --set <policy> and using the DEFAULT policy should mean the tentacle port (e.g. 10933) will not use TLS 1.0 as listed here:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies

According to that configuration, only TLS 1.2 and above should be allowed system-wide, but when checking protocol levels available over the port, we're seeing TLS 1.0, 1.1, 1.2 still available.

Use the following to test the connection on the server itself after creating a new tentacle instance:

openssl s_client -connect localhost:10933 -quiet -tls1_2
openssl s_client -connect localhost:10933 -quiet -tls1_1
openssl s_client -connect localhost:10933 -quiet -tls1

Questions

Is there somewhere else this should be configured in RHEL to restrict tentacle communications or another way this should be done?

Why is Tentacle not respecting the OS-level settings? (Some discussion in slack threads linked)

Why does Tentacle specify TLS versions on the ServicePointManager, and is this still required?

Reproduction

• Create a RHEL 8 machine (VM in cloud/docker image do not run the below steps locally)
• (Note Fips may not be required and the below steps had some issues locally) Enable Fips
  • https://www.thegeekdiary.com/how-to-make-centos-rhel-7-fips-140-2-compliant/
    OR
  • fips-mode-setup --enable
  • reboot
• update openssl.cnf /etc/pki/tls/openssl.cnf
  
• update-crypto-policies --set DEFAULT (Should require TLS 1.2)

Configure tentacle will not work as openssl cert generation is disabled with fips, run the below code to configure a tentacle

wget https://rpm.octopus.com/tentacle.repo -O /etc/yum.repos.d/tentacle.repo
yum install tentacle -y

# -- Generate a 100 year certificate with a compliant crypto scheme
openssl req -newkey rsa:4096  -x509  -sha512  -days 36500 -nodes -out certificate.pem -keyout privatekey.pem

# -- Convert pem to pfx
openssl pkcs12 -export -out generated.pfx -inkey privatekey.pem -in certificate.pem 

# -- Configure tentacle (replicating what the configure-tentacle script does - default settings used).
/opt/octopus/tentacle/Tentacle create-instance --instance "Tentacle" --config "/etc/octopus/Tentacle/tentacle-Tentacle.config"
/opt/octopus/tentacle/Tentacle import-certificate --instance "Tentacle" --from-file=generated.pfx
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --app "/home/Octopus/Applications" --port 10933 --noListen False --reset-trust
/opt/octopus/tentacle/Tentacle configure --instance "Tentacle" --trust SERVERCERTIFICATETHUMBPRINT
/opt/octopus/tentacle/Tentacle service --install --start --instance "Tentacle"

openssl s_client -connect localhost:10933 -quiet -tls1_2
openssl s_client -connect localhost:10933 -quiet -tls1_1
openssl s_client -connect localhost:10933 -quiet -tls1

Will still listen over TLS 1 and 1.1.

Error and Stacktrace

NA

More Information

Internal slack discussion:
https://octopusdeploy.slack.com/archives/C27FNL3QW/p1682578455691219
https://octopusdeploy.slack.com/archives/CG9E93KLJ/p1682579067675749

Zendesk ticket threads:
https://octopus.zendesk.com/agent/tickets/96548
https://octopus.zendesk.com/agent/tickets/101467
https://octopus.zendesk.com/agent/tickets/103405
https://octopus.zendesk.com/agent/tickets/111245
https://octopus.zendesk.com/agent/tickets/119557

This may be caused by the ServicePointManager.SecurityProtocol in Tentacle

Workaround

NA