Bug 1566124

Summary: mod_ssl recommends RC4 against upstream advice
Product: Red Hat Enterprise Linux 7 Reporter: ripleymj
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED NEXTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: jorton, luhliari
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-15 12:54:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ripleymj 2018-04-11 14:54:51 UTC 
Description of problem:
The default /etc/httpd/conf.d/ssl.conf contains a section on "Speed-optimized SSL Cipher configuration" which recommends prioritizing RC4 and SHA1. This was removed upstream in 2015 but never backported. As this would only affect new installs and not change behavior of existing installs, it seems to be a very safe change to make.

I had opened this as 1428434, which was closed as a duplicate of 1274890, though that was not really accurate. The original bug was against RHEL 7.3, so I'm attempting this again for 7.5.

Version-Release number of selected component (if applicable):
mod_ssl-2.4.6-80

How reproducible:
Completely

Steps to Reproduce:
1. Install mod_ssl package
2.
3.

Actual results:
Receive unsafe advice

Expected results:
Receive sensible advice

Additional info:
Upstream commit: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?r1=1634736&r2=1679428
Comment 2 Joe Orton 2020-10-15 12:54:45 UTC 
Thanks for the feedback.  We don't plan to change the default configuration within the RHEL 7 release.  The issue with recommendations about cipher choices evolving (and becoming outdated, as you suggest) during the RHEL lifecycle has been resolved in RHEL 8.  In RHEL8, the mod_ssl default configuration no longer suggests any particular cipher and instead defers to the system crypto profile definitions.

FYI: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening