Description of problem: An attack known as POODLE (see bug 1152789) was reported recently, which demonstrates practical MITM attack against SSL 3.0 connections in HTTPS / web browser use case. Because of it, the default mod_ssl configuration in Fedora (at least for all future versions) should be updated to disable SSL 3.0 by default. I.e. ssl.conf should read: SSLProtocol all -SSLv2 -SSLv3
Note that my initial description comment 0 is somewhat misleading, as SSLv3 is already disabled by default in Rawhide, because of the following OpenSSL change: http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?id=80b5477 This disables both SSLv2 and SSLv3 by default in the SSLv23_method(), which is what mod_ssl uses when more than one version is requested. The side effect of this change in OpenSSL is that some configurations that attempt to explicitly enable SSLv3 don't work correctly. While this enables SSLv3, as it uses SSLv3_method: SSLProtocol +SSLv3 the following two do not work: SSLProtocol +SSLv3 +TLSv1 SSLProtocol all -TLSv1.1 -TLSv1.2 It should be possible to fix with the use of SSL_CTX_clear_options.
Another side note - -SSLv2 part is now redundant, as httpd 2.4 unconditionally disables SSLv2. Attempt to use SSLProtocol SSLv2 end with config syntax error: SSLProtocol: SSLv2 is no longer supported
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
I've committed <http://svn.apache.org/r1692258> upstream to address part of this bug. With that change, httpd prints a warning when admin tries to enable SSLProtocol which is disabled by OpenSSL by default, but it will enable that protocol. This should address issues reported in Comment 1. We will also disable SSLv3 in Fedora 23 and rawhide using (committed together with a patch): SSLProtocol all -SSLv2 -SSLv3 I will wait a bit with commit to let the upstream review and comment the patch.
(In reply to Jan Kaluža from comment #4) > I've committed <http://svn.apache.org/r1692258> upstream to address part of > this bug. With that change, httpd prints a warning when admin tries to > enable SSLProtocol which is disabled by OpenSSL by default, but it will > enable that protocol. The fix should also be tested with OpenSSL compiled with SSL3 support disabled (no-ssl3 configure option, IIRC), with respect to the warning, or the expectation that httpd will log warning if it is asked to enable something disabled in OpenSSL. It's likely that SSL_OP_NO_SSLv3 is not set by default in such OpenSSL builds, and clearing the flaw should not enable SSL3.
Configuration as of 2.4.17 now for master now matches upstream with: SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 http://pkgs.fedoraproject.org/cgit/httpd.git/diff/?id=91a2788bcecc45df329bd121a15ea7ec86285d82
httpd-2.4.17-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-6b34a700fb
httpd-2.4.17-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update httpd' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-6b34a700fb
httpd-2.4.17-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.