Bug 1038651

Summary: There are no "TLSv1.1" and "TLSv1.2" options for Apache's SSLProtocol directive
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Eric Rich <erich>
Component: httpdAssignee: Jean-frederic Clere <jclere>
Status: CLOSED EOL QA Contact: Libor Fuka <lfuka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0.0, 2.0.1CC: csutherl, ebenes, jawilson, jclere, jdoyle, myarboro, pslavice, rmarwaha, rsvoboda, weli
Target Milestone: CR01   
Target Release: 3.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An incompatibility problem existed with Apache HTTP Server and OpenSSL on Red Hat Enterprise Linux 6.5. This resulted in no TLSv1.1 or TLSv1.2 options being available for Apache HTTP Server's `SSLProtocol` directive. This issue has been fixed with the update of OpenSSL to version 1.0.1e in this release of JBoss Web Server, and TLSv1.1 and TLSv1.2 options should be available as expected on all supported platforms.
 Story Points: ---
Clone Of: 1038648
: 1218346 1218348 (view as bug list) Environment:
Last Closed: 2019-06-13 12:09:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1034984, 1038648    
Bug Blocks:    

Description Eric Rich 2013-12-05 15:02:07 UTC 
+++ This bug was initially created as a clone of Bug #1038648 +++

Description of problem:

There is a serious incompatibility problem with apache + openssl in new RHEL 6.5.
Current available apache version built from openssl version 1.0.0, and openssl shipped with RHEL 6.5 has version 1.0.1.

However as we ship so many versions of httpd its hard to keep track of what version has this capabilities and what versions don't due to backports? Based on these comments no version of httpd (that Red Hat provides) ships this capability (as you need 2.2.23).

     - RHEL 6  = 2.2.15 + Backports
     - EWS 1.2 = 2.2.17 + (not much)
     - EWS 2.0 = 2.2.22 + (1 patch [me thinks])

Even with this said I know of at least 1 case [attached], and 1 BZ [https://bugzilla.redhat.com/show_bug.cgi?id=818670] that seem to indicate that we have put this into the RHEL 6.5 release (at least that is what I read). 

However it seems that Apache was not update / or rebuilt to provide this? Is this a bug that should be addressed? Will EWS be getting a backport for this capability as well as?

The reason I bring this feature / capability up is because it demonstrates how having Apache (provided in multiple facets) makes it hard for support to tell customer what they can or can not use the product for / what is supported. It also confuses our customers because the later version 2.2.15 (RHEL) might now have a feature that the 2.2.22 (EWS) version does not have (simply due to a backport).
Comment 2 Jean-frederic Clere 2013-12-06 15:12:12 UTC 
Actually that would require an openssl upgrade.
Comment 3 Weinan Li 2014-01-26 17:18:06 UTC 
Currently we use the openssl from RHEL.
Comment 4 Jean-frederic Clere 2014-02-13 10:30:33 UTC 
According to httpd changelog it has been fixed in 2.2.23 but it requires OpenSSL 1.0.1.
Comment 5 John Doyle 2014-02-13 16:30:27 UTC 
We depend on OpenSSL in RHEL, do we build an ship it for other supported platforms?

Weinan, do you have a contact that can give us insight into a possible upgrade of OpenSSL on RHEL?
Comment 6 Weinan Li 2014-02-14 13:13:51 UTC 
After discussing with Jean-Frederic, we think it's better to put this into EWS 3.
Comment 8 John Doyle 2014-03-03 14:25:59 UTC 
It looks like RHEL has released OpenSSL 1.0.1 in some channels.

https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=839677

I don't know how to map this information to the versions of RHEL we support (RHEL 6 x86 and x86_64, RHEL 5 x86 and x86_64).  Weinan, do you know how to map this information?
Comment 9 Weinan Li 2014-03-03 14:38:41 UTC 
Hi John, I saw the current maintainer of OpenSSL is  Tomáš Mráz <tmraz>. Hope the info useful to you :-)
Comment 10 Weinan Li 2014-03-03 14:40:28 UTC 
(In reply to John Doyle from comment #8)
> It looks like RHEL has released OpenSSL 1.0.1 in some channels.
> 
> https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=839677
> 
> I don't know how to map this information to the versions of RHEL we support
> (RHEL 6 x86 and x86_64, RHEL 5 x86 and x86_64).  Weinan, do you know how to
> map this information?

After checking the product list, it could map to our product on RHEL6 (32bit and x86_64)
Comment 12 Libor Fuka 2015-04-03 09:44:24 UTC 
Verified with JWS3.0 ER2.1 (includes Apache/2.4.6 (Red Hat)) on RHEL6.6 (includes OpenSSL 1.0.1e-fips) and on RHEL7.1 (includes OpenSSL 1.0.1e-fips)
Comment 13 Libor Fuka 2015-04-03 11:07:56 UTC 
Verified with JWS3.0 ER2.1 (includes Apache/2.4.6 and OpenSSL 1.0.1e) on MS Windows.
Comment 14 Libor Fuka 2015-04-13 06:04:02 UTC 
*** Bug 1161283 has been marked as a duplicate of this bug. ***