1274876 – httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566

Bug 1274876 - httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566

Summary: httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	httpd
Sub Component:
Version:	5.11
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Luboš Uhliarik
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-23 18:44 UTC by Pat Riehecky
Modified:	2019-10-10 10:24 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1274888 1274890 (view as bug list)
Environment:
Last Closed:	2017-04-18 22:00:12 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pat Riehecky 2015-10-23 18:44:55 UTC

Description of problem:
The default configuration of mod_ssl in EL5 permits SSLv3 connections.  Per CVE-2014-3566 this protocol is known to be a security risk.

Version-Release number of selected component (if applicable):mod_ssl-2.2.3-87


How reproducible:100%


Steps to Reproduce:
1.Install apache with mod_ssl
2.enable connections to port 443 via apache mod_ssl using the default config
3.test a SSLv3 connection

Actual results:
SSLv3 connections are permitted

Expected results:
Since SSLv3 has known security issues, I expected it to be disabled by default.

Additional info:

Comment 1 Jim Lyle 2015-12-11 15:41:21 UTC

Potential Patch:

--- SOURCES/ssl.conf    2015-10-30 10:26:57.000000000 -0500
+++ SOURCES/ssl.conf    2015-10-30 10:27:12.000000000 -0500
@@ -96,8 +96,8 @@ SSLEngine on
 
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect.  Disable SSLv2/v3 access by default:
+SSLProtocol all -SSLv2 -SSLv3
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.

Comment 2 Chris Williams 2017-04-18 22:00:12 UTC

Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.