Bug 1274876 - httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566
httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.11
All Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Luboš Uhliarik
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-23 14:44 EDT by Pat Riehecky
Modified: 2017-04-18 18:00 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1274888 1274890 (view as bug list)
Environment:
Last Closed: 2017-04-18 18:00:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pat Riehecky 2015-10-23 14:44:55 EDT
Description of problem:
The default configuration of mod_ssl in EL5 permits SSLv3 connections.  Per CVE-2014-3566 this protocol is known to be a security risk.

Version-Release number of selected component (if applicable):mod_ssl-2.2.3-87


How reproducible:100%


Steps to Reproduce:
1.Install apache with mod_ssl
2.enable connections to port 443 via apache mod_ssl using the default config
3.test a SSLv3 connection

Actual results:
SSLv3 connections are permitted

Expected results:
Since SSLv3 has known security issues, I expected it to be disabled by default.

Additional info:
Comment 1 Jim Lyle 2015-12-11 10:41:21 EST
Potential Patch:

--- SOURCES/ssl.conf    2015-10-30 10:26:57.000000000 -0500
+++ SOURCES/ssl.conf    2015-10-30 10:27:12.000000000 -0500
@@ -96,8 +96,8 @@ SSLEngine on
 
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect.  Disable SSLv2/v3 access by default:
+SSLProtocol all -SSLv2 -SSLv3
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
Comment 2 Chris Williams 2017-04-18 18:00:12 EDT
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.