Bug 1156157
Summary: | ricci still agrees on SSLv3 connections by default (if for some esoteric reason forced to) | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Pokorný [poki] <jpokorny> | |
Component: | ricci | Assignee: | Chris Feist <cfeist> | |
Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 6.6 | CC: | cbuissar, cfeist, cluster-maint, fdinitto, jpokorny, mspqa-list, rsteiger, salmy, sbradley, swatson, thoger | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ricci-0.16.2-81.el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1075176 | |||
: | 1156533 1222411 (view as bug list) | Environment: | ||
Last Closed: | 2015-07-22 07:34:00 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1075176 | |||
Bug Blocks: | 1156533, 1159926, 1218334, 1222411 |
Description
Jan Pokorný [poki]
2014-10-23 17:20:08 UTC
Principially, [bug 1156167] is of greater concerns, though; this is generally non-critical. How to test (from the machine that is running ricci): openssl s_client -connect localhost:11111 -ssl3 If it give you a bunch of output including certificates, etc. and returns '0' then ssl3 is working. After upgrading ricci running the same openssl command returns '1' and gives you errors like this: SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read server hello A 140548945856328:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 Patch upstream here: https://git.fedorahosted.org/cgit/conga.git/commit/?h=RHEL6&id=636787356206e592367843d66d3a834225bb1625 Additional upstream patch to make default secure and option ('-x') to use SSLv2/SSLv3 https://git.fedorahosted.org/cgit/conga.git/commit/?h=RHEL6&id=cdcffaf7441668f686e9bcd24d8801e084ed1d1f Before Fix: [root@ask-03 ~]# rpm -q ricci ricci-0.16.2-75.el6.x86_64 [root@ask-03 ~]# ps -eaf | grep ricci | grep -v grep ricci 14456 1 0 15:59 ? 00:00:01 ricci -u ricci [root@ask-03 ~]# openssl s_client -connect localhost:11111 -ssl3 2>&1 | grep "handshake failure" [root@ask-03 ~]# After Fix: [root@ask-02 ~]# rpm -q ricci ricci-0.16.2-77.el6.x86_64 [root@ask-02 ~]# ps -eaf | grep ricci | grep -v grep ricci 22166 1 0 17:31 ? 00:00:00 ricci -u ricci [root@ask-02 ~]# openssl s_client -connect localhost:11111 -ssl3 2>&1 | grep "handshake failure" 140504936662856:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 140504936662856:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1405.html |