Bug 498291

Summary: Export-grade ssl ciphers not disabled by appropriate SSLCipherSuite directive
Product: Red Hat Enterprise Linux 5 Reporter: David Hubbard <bugzillaredhat>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: jorton, lmiksik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-02 17:23:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1049888    

Description David Hubbard 2009-04-29 18:36:07 UTC 
Description of problem:

To achieve PCI compliance, websites accepting credit cards must disable all <128-bit SSL ciphers and other export-grade ciphers.  To accomplish this, the following directive replaces the original SSLCipherSuite directive in /etc/httpd/conf.d/ssl.conf:

SSLCipherSuite HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW

If you run:

openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-LOW'

it will confirm that only the following ciphers should be supported:

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5 
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5 
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 


However, even after doing that, apache continues to support:

Low Strength Ciphers ( 56-bit key) SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5
Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA
Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512)
Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA
Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40)



Version-Release number of selected component (if applicable):

httpd-2.2.3-22.el5

How reproducible:

100%

Steps to Reproduce:
1. Replace the SSLCipherSuite directive as mentioned above
2. Use the curl command with the --ciphers directive to force it to use a weak cipher that should not be supported when retrieving a URL from a server configured as mentioned above; it will continue to work.

  
Actual results:
Success

Expected results:
Failure to establish SSL connection

Additional info:
Comment 1 Joe Orton 2011-01-07 15:08:04 UTC 
Sorry for the slow response.

I can't reproduce this with the stock packages.  Using:

 $ curl --ciphers EXPORT https://localhost/

the result is

curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

which is precisely that expected of a failure to negotiate a suitable cipher suite.
Comment 2 Joe Orton 2013-12-02 17:23:42 UTC 
We couldn't reproduce this issue.  If you have further issues please contact your Red Hat support representative for assistance.
Comment 3 Red Hat Bugzilla 2023-09-14 23:56:47 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days