Bug 1156187

Summary: luci still agrees on SSLv2 and SSLv3 connections with ricci (if for some esoteric reason forced to)
Product: Red Hat Enterprise Linux 6 Reporter: Jan Pokorný [poki] <jpokorny>
Component: luciAssignee: Jan Pokorný [poki] <jpokorny>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: adshaikh, cfeist, cluster-maint, cluster-qe, ctowsley, dpal, fdinitto, jharriga, jpokorny, jruemker, meverett, mpoole, mspqa-list, rmccabe, rsteiger, sbradley, slevine, tao
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: luci-0.26.0-72.el6 Doc Type: Enhancement
Doc Text:
[Combined doc text for rhbz#1156167 and rhbz#1156187, they should be introduced together, see rhbz#1156167 for the text itself]
 Story Points: ---
Clone Of: 1156167 Environment:
Last Closed: 2016-05-11 00:17:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 991575, 1156167, 1236730    
Bug Blocks: 1271835    

Description Jan Pokorný [poki] 2014-10-23 18:38:57 UTC 
This is generally non-critical (as well as for ricci side: [bug 1156157])
but taking recent affairs into account, would deserve at least a dedicated
tracking -- properties of secure channel towards ricci hasn't been on the
table yet.

Principially, [bug 1156167] is of greater concerns, though.


+++ This bug was initially created as a clone of Bug #1156167 +++

Due to an ever-increasing attention being paid to minimal acceptable
version of SSL/TLS and/or their ciphers (security scanners, etc.)
and because luci[-ricci] communication should be just fine with TLS1.0+.

[...]

To be noted that relying merely on security scanners tends to provide
false sense of overall security; certificate management (conga, as in
ricci+luci, using self-signed ones with limited options to roll up custom
ones) is perhaps comparably weak point here (see also [bz885028]).
Comment 14 errata-xmlrpc 2016-05-11 00:17:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0892.html