RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1300724 - [RFE] make possible to set minimum TLS version for OpenSSL in configuration file
Summary: [RFE] make possible to set minimum TLS version for OpenSSL in configuration file
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl
Version: 7.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-21 14:39 UTC by David Jaša
Modified: 2021-09-09 11:45 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1527031 (view as bug list)
Environment:
Last Closed: 2018-11-08 19:42:46 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description David Jaša 2016-01-21 14:39:52 UTC
Description of problem:
Most of openssl-based programs use just SSLv23_method() in order to listen or connect using all supported protocols. When there is a requirement to limit the available protocols (e.g. as a response to vulnerability like BEAST or POODLE), the only way to do that is to rebuild all the affected apps (if they don't already have a mechanism to set SSL_CTX_set_min_proto_version() on their own).

It would be beneficial to have a mechanism for this in openssl proper that would expose SSL_CTX_set_min_proto_version() setting to the user, trough the openssl.cnf config file (or maybe through environment variable)


Version-Release number of selected component (if applicable):
RHEL 7.2 / openssl-1.0.1e-51.el7_2.2.x86_64

How reproducible:
always

Steps to Reproduce:
1. have a simple openssl-based server and client app using just SSL_CTX_new(SSLv23_methog())
2. enforce minimum protocol version without modifying app itself
3.

Actual results:
no way to achieve the result without application modification or application-specific setting mechanism

Expected results:
openssl has a common way to set minimum protocol

Additional info:
similar setting would be beneficial for cipher whitelist/blacklist


Note You need to log in before you can comment on or make changes to this bug.