Description of problem: The default configuration of mod_ssl in EL5 permits SSLv3 connections. Per CVE-2014-3566 this protocol is known to be a security risk. Version-Release number of selected component (if applicable):mod_ssl-2.2.3-87 How reproducible:100% Steps to Reproduce: 1.Install apache with mod_ssl 2.enable connections to port 443 via apache mod_ssl using the default config 3.test a SSLv3 connection Actual results: SSLv3 connections are permitted Expected results: Since SSLv3 has known security issues, I expected it to be disabled by default. Additional info:
Potential Patch: --- SOURCES/ssl.conf 2015-10-30 10:26:57.000000000 -0500 +++ SOURCES/ssl.conf 2015-10-30 10:27:12.000000000 -0500 @@ -96,8 +96,8 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# connect. Disable SSLv2/v3 access by default: +SSLProtocol all -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate.
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only. If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided. For more details please consult the Red Hat Enterprise Linux Life Cycle Page: https://access.redhat.com/support/policy/updates/errata This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.