Red Hat Bugzilla – Bug 1274888
httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566
Last modified: 2017-05-31 18:52:17 EDT
Verified on default EL6
+++ This bug was initially created as a clone of Bug #1274876 +++
Description of problem:
The default configuration of mod_ssl in EL5 permits SSLv3 connections. Per CVE-2014-3566 this protocol is known to be a security risk.
Version-Release number of selected component (if applicable):mod_ssl-2.2.3-87
Steps to Reproduce:
1.Install apache with mod_ssl
2.enable connections to port 443 via apache mod_ssl using the default config
3.test a SSLv3 connection
SSLv3 connections are permitted
Since SSLv3 has known security issues, I expected it to be disabled by default.
--- SOURCES/ssl.conf 2015-10-30 10:26:57.000000000 -0500
+++ SOURCES/ssl.conf 2015-10-30 10:27:12.000000000 -0500
@@ -96,8 +96,8 @@ SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
-# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect. Disable SSLv2/v3 access by default:
+SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
The official life cycle policy can be reviewed here:
This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: