`SSLv3` disabled in *mod_ssl*
To improve the security of SSL/TLS connections, the default configuration of the *httpd mod_ssl* module has been changed to disable support for the `SSLv3` protocol, and to restrict the use of certain cryptographic cipher suites. This change will affect only fresh installations of the _mod_ssl_ package, so existing users should manually change the SSL configuration as required.
Any SSL clients attempting to establish connections using `SSLv3`, or using a cipher suite based on `DES` or `RC4`, will be denied in the new default configuration. To allow such insecure connections, modify the `SSLProtocol` and `SSLCipherSuite` directives in the `/etc/httpd/conf.d/ssl.conf` file.
Verified on default EL7
+++ This bug was initially created as a clone of Bug #1274876 +++
Description of problem:
The default configuration of mod_ssl in EL5 permits SSLv3 connections. Per CVE-2014-3566 this protocol is known to be a security risk.
Version-Release number of selected component (if applicable):mod_ssl-2.2.3-87
Steps to Reproduce:
1.Install apache with mod_ssl
2.enable connections to port 443 via apache mod_ssl using the default config
3.test a SSLv3 connection
SSLv3 connections are permitted
Since SSLv3 has known security issues, I expected it to be disabled by default.
--- SOURCES/ssl.conf 2015-10-30 10:26:57.000000000 -0500
+++ SOURCES/ssl.conf 2015-10-30 10:27:12.000000000 -0500
@@ -96,8 +96,8 @@ SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
-# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect. Disable SSLv2/v3 access by default:
+SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
*** Bug 1388068 has been marked as a duplicate of this bug. ***
*** Bug 1457785 has been marked as a duplicate of this bug. ***
*** Bug 1428434 has been marked as a duplicate of this bug. ***
*** Bug 1492637 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.