Bug 1274890
Summary: | mod_ssl config: tighten defaults | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Pat Riehecky <riehecky> | |
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> | |
Status: | CLOSED ERRATA | QA Contact: | Maryna Nalbandian <mnalband> | |
Severity: | urgent | Docs Contact: | Lenka Špačková <lkuprova> | |
Priority: | unspecified | |||
Version: | 7.1 | CC: | ajb, carl, cww, djasa, jhouska, jkejda, jlyle, jorton, luhliari, misterbonnie, pasik, qe-baseos-apps, ripleymj, toracat | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1274890# | |||
Whiteboard: | ||||
Fixed In Version: | httpd-2.4.6-7a9.el7 | Doc Type: | Release Note | |
Doc Text: |
`SSLv3` disabled in *mod_ssl*
To improve the security of SSL/TLS connections, the default configuration of the *httpd mod_ssl* module has been changed to disable support for the `SSLv3` protocol, and to restrict the use of certain cryptographic cipher suites. This change will affect only fresh installations of the _mod_ssl_ package, so existing users should manually change the SSL configuration as required.
Any SSL clients attempting to establish connections using `SSLv3`, or using a cipher suite based on `DES` or `RC4`, will be denied in the new default configuration. To allow such insecure connections, modify the `SSLProtocol` and `SSLCipherSuite` directives in the `/etc/httpd/conf.d/ssl.conf` file.
|
Story Points: | --- | |
Clone Of: | 1274876 | |||
: | 1492637 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-10 14:45:22 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1203710, 1298243, 1420851, 1465904, 1466370, 1473733, 1492637 |
Description
Pat Riehecky
2015-10-23 18:49:10 UTC
Potention Patch: --- SOURCES/ssl.conf 2015-10-30 10:26:57.000000000 -0500 +++ SOURCES/ssl.conf 2015-10-30 10:27:12.000000000 -0500 @@ -96,8 +96,8 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# connect. Disable SSLv2/v3 access by default: +SSLProtocol all -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. *** Bug 1388068 has been marked as a duplicate of this bug. *** *** Bug 1457785 has been marked as a duplicate of this bug. *** *** Bug 1428434 has been marked as a duplicate of this bug. *** *** Bug 1492637 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0826 |