Bug 1618371
Summary: | mod_ssl does not honor minimum TLS protocol defined in system crypto policy | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rob Crittenden <rcritten> | ||||
Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 29 | CC: | anon.amish, jkaluza, jorton, luhliari, pahan, rcritten, tmraz | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | httpd-2.4.34-7.fc29 httpd-2.4.34-8.fc29 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-02 19:28:51 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1638738 | ||||||
Attachments: |
|
Description
Rob Crittenden
2018-08-16 13:47:58 UTC
Created attachment 1477558 [details]
Proposed patch
Would it be better to submit this to upstream Apache? It seems rather Fedora-specific. Hi Rob, for me, it seems like it should be fixed upstream, if httpd want use openssl's configuration instead of build-in compile-time constant. We definitely don't wanna maintain downstream patches, if it is not necessary. Do you want to report it to upstream by yourself, or I should take care of it? I'm not at all familiar with submitting to the Apache upstream so if you can do it I'd very much appreciate it. If you have filed the upstream bug can you point a link to it here? It occurred to me that this may not be applicable upstream if there isn't a common way to handle systemwide defaults like there is in Fedora. This is similar to the cipher default patch carried by Fedora, httpd-2.4.33-sslciphdefault.patch I think probably we should patch this downstream. I'll look at this once I've finished going through other TLSv1.3 issues - probably not till next week Rob sorry. It doesn't seem reasonable to push this upstream since AFAICT the desired behaviour is Fedora-specific and tied to the "system-cipherlist" patch in OpenSSL. Thanks for the report & patch, Rob. I pushed this with one minor change to add TRACE3 logging for the special case here. Next up is bug 1623165 but I think we can/should now comment-out SSLProtocol in the default ssl.conf too. Actually it is not tied to system-cipherlist patch at all. The minimum protocol version is set up in the default openssl config file. Which is modified from what upstream ships but it is just the openssl config file modification and nothing else. Tomas, I'm only testing on F28 but from strace I don't see httpd reading any OpenSSL config other than /etc/crypto-policies/back-ends/openssl.config - is there any other way the default protocol selection is configurable in OpenSSL? Package: httpd-2.4.34-7.fc29 This is openssl-1.1.1 feature so F29 and newer only. httpd-2.4.34-8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f2a17fb92 httpd-2.4.34-8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |