Bug 1274890

Summary: mod_ssl config: tighten defaults
Product: Red Hat Enterprise Linux 7 Reporter: Pat Riehecky <riehecky>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Maryna Nalbandian <mnalband>
Severity: urgent Docs Contact: Lenka Špačková <lkuprova>
Priority: unspecified    
Version: 7.1CC: ajb, carl, cww, djasa, jhouska, jkejda, jlyle, jorton, luhliari, misterbonnie, pasik, qe-baseos-apps, ripleymj, toracat
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1274890#
Whiteboard:
Fixed In Version: httpd-2.4.6-7a9.el7 Doc Type: Release Note
Doc Text:
`SSLv3` disabled in *mod_ssl* To improve the security of SSL/TLS connections, the default configuration of the *httpd mod_ssl* module has been changed to disable support for the `SSLv3` protocol, and to restrict the use of certain cryptographic cipher suites. This change will affect only fresh installations of the _mod_ssl_ package, so existing users should manually change the SSL configuration as required. Any SSL clients attempting to establish connections using `SSLv3`, or using a cipher suite based on `DES` or `RC4`, will be denied in the new default configuration. To allow such insecure connections, modify the `SSLProtocol` and `SSLCipherSuite` directives in the `/etc/httpd/conf.d/ssl.conf` file.
 Story Points: ---
Clone Of: 1274876
: 1492637 (view as bug list) Environment:
Last Closed: 2018-04-10 14:45:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1203710, 1298243, 1420851, 1465904, 1466370, 1473733, 1492637    

Description Pat Riehecky 2015-10-23 18:49:10 UTC 
Verified on default EL7

+++ This bug was initially created as a clone of Bug #1274876 +++

Description of problem:
The default configuration of mod_ssl in EL5 permits SSLv3 connections.  Per CVE-2014-3566 this protocol is known to be a security risk.

Version-Release number of selected component (if applicable):mod_ssl-2.2.3-87


How reproducible:100%


Steps to Reproduce:
1.Install apache with mod_ssl
2.enable connections to port 443 via apache mod_ssl using the default config
3.test a SSLv3 connection

Actual results:
SSLv3 connections are permitted

Expected results:
Since SSLv3 has known security issues, I expected it to be disabled by default.

Additional info:
Comment 3 Jim Lyle 2015-12-11 15:36:58 UTC 
Potention Patch:

--- SOURCES/ssl.conf    2015-10-30 10:26:57.000000000 -0500
+++ SOURCES/ssl.conf    2015-10-30 10:27:12.000000000 -0500
@@ -96,8 +96,8 @@ SSLEngine on
 
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect.  Disable SSLv2/v3 access by default:
+SSLProtocol all -SSLv2 -SSLv3
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
Comment 4 Luboš Uhliarik 2016-12-06 11:09:41 UTC 
*** Bug 1388068 has been marked as a duplicate of this bug. ***
Comment 6 Joe Orton 2017-07-13 15:44:45 UTC 
*** Bug 1457785 has been marked as a duplicate of this bug. ***
Comment 7 Joe Orton 2017-07-13 15:45:15 UTC 
*** Bug 1428434 has been marked as a duplicate of this bug. ***
Comment 11 Branislav Náter 2017-11-01 16:06:43 UTC 
*** Bug 1492637 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2018-04-10 14:45:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0826