Description of problem
New tog-pegasus introduces option sslBackwardCompatibility:
> Description:This setting specifies whether the ssl supports
> SSLv3 and versions of TLS lesser than 1.2 .Ideally for security
> Compilance purposes it is by default set to false.
> Default Value: false
> Dynamic: No
Per consultation with security QA (Hubert Kario):
While SSLv3 is indeed insecure and dangerous, the same cannot be said
about TLS1.1 or even TLS1.1, so the option effect is a bit excessive.
Since it's off by default, in fact it introduces regression: any clients
that do not use TLS1.2 but will try TLS1.0 or TLS1.1 will be refused.
Version-Release number of selected component
Steps to Reproduce
1. Start tog-pegasus service with default settings
2. connect using TLS1.0 or TLS1.1
Connection is shut down (RST) by server
Connection should succeed.
Created attachment 1075693 [details]
Patch modifies sslBackwardCompatibility option to affect only SSLv3 support. (This should be probably emphasized in release notes, as it differs from upstream/expected behaviour significantly.)
Note to QA: we have at least one test case (TC#506392) that can safely cover this.
Also I will add specific test case as well--it should be really simple:
1. Connect to the HTTPS port with
* various SSL/TLS versions, at least
* TLS1.0 (=SSLv1.1),
* TLS1.3 if you you have a client that supports it.
* sslBackwardCompatibility set to true or false (default)
Consider using curl, openssl s_client or similar. It's enough
if you get connected and *some* reply from the server; an
HTTP 4xx reply is OK.
2. Make sure only SSLv3 is turned off by default, and turning on
sslBackwardCompatibility turns SSLv3 back on (IOW all versions
Automated test scheduled for the new build: TJ#1092237
All passed; thanks!
quick fix jumped over the lazy bug
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.