Necesitamos deshabilitar TLS_RSA_WITH_AES_256_GCM_SHA384 que se ejecuta en los puertos 8008 y 9090.

Los siguientes procesos se ejecutan en los puertos 8008 y 9090 respectivamente:

ruby /usr/bin/smart_proxy_dynflow_core -d -p /var/run/foreman-proxy/smart_proxy_dynflow_core.pid

ruby /usr/share/foreman-proxy/bin/smart-proxy --no-daemonize

A continuación se muestra el archivo de configuración de /etc/foreman-installer/custom-hiera.yaml

Apoderado del capataz

foreman_proxy::tls_disabled_versions: [ '1.1' ]
foreman_proxy::ssl_disabled_ciphers: ['TLS_RSA_WITH_RC4_128_MD5', 'TLS_RSA_WITH_RC4_128_SHA', 'AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_GCM_SHA384']

flujo dinámico

foreman_proxy::plugin::dynflow::tls_disabled_versions: [ '1.1' ]
foreman_proxy::plugin::dynflow::ssl_disabled_ciphers: ['AES128-SHA256', 'AES256-SHA256', 'AES128-SHA', 'AES256-SHA', 'AES128-GCM-SHA256', 'AES256-GCM-SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_GCM_SHA384']

apache

apache::mod::ssl::ssl_protocol: [ 'ALL' , '-SSLv3' , '-TLSv1' , '-TLSv1.1' , '+TLSv1.2' ]
apache::mod::ssl::ssl_cipher: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Tomcat / Candelabro

candlepin::tls_versions: [ '1.2' ]

Envío QPID

foreman_proxy_content::qpid_router_ssl_protocols: [ 'TLSv1.2' ]
foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'

PULPA

pulp::ssl_protocol: "ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"