Bug 1274888 - httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566
httpd's mod_ssl default config is vulnerable to POODLE CVE-2014-3566
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: httpd (Show other bugs)
6.7
All Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Luboš Uhliarik
BaseOS QE - Apps
:
Depends On:
Blocks: 1269194
  Show dependency treegraph
 
Reported: 2015-10-23 14:48 EDT by Pat Riehecky
Modified: 2017-05-31 18:52 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1274876
Environment:
Last Closed: 2017-05-31 18:52:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pat Riehecky 2015-10-23 14:48:35 EDT
Verified on default EL6

+++ This bug was initially created as a clone of Bug #1274876 +++

Description of problem:
The default configuration of mod_ssl in EL5 permits SSLv3 connections.  Per CVE-2014-3566 this protocol is known to be a security risk.

Version-Release number of selected component (if applicable):mod_ssl-2.2.3-87


How reproducible:100%


Steps to Reproduce:
1.Install apache with mod_ssl
2.enable connections to port 443 via apache mod_ssl using the default config
3.test a SSLv3 connection

Actual results:
SSLv3 connections are permitted

Expected results:
Since SSLv3 has known security issues, I expected it to be disabled by default.

Additional info:
Comment 2 Jim Lyle 2015-12-11 10:42:48 EST
Potential Patch:

--- SOURCES/ssl.conf    2015-10-30 10:26:57.000000000 -0500
+++ SOURCES/ssl.conf    2015-10-30 10:27:12.000000000 -0500
@@ -96,8 +96,8 @@ SSLEngine on
 
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect.  Disable SSLv2/v3 access by default:
+SSLProtocol all -SSLv2 -SSLv3
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
Comment 3 Jim Lyle 2015-12-11 10:42:57 EST
Potential Patch:

--- SOURCES/ssl.conf    2015-10-30 10:26:57.000000000 -0500
+++ SOURCES/ssl.conf    2015-10-30 10:27:12.000000000 -0500
@@ -96,8 +96,8 @@ SSLEngine on
 
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect.  Disable SSLv2/v3 access by default:
+SSLProtocol all -SSLv2 -SSLv3
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
Comment 5 Chris Williams 2017-05-31 18:52:17 EDT
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com

Note You need to log in before you can comment on or make changes to this bug.