Bug 1304812 - Disable support for SSLv2 completely.
Disable support for SSLv2 completely.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
6.7
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Elio Maldonado Batiz
Hubert Kario
Jana Heves
:
Depends On: 1311981
Blocks: 1306607
  Show dependency treegraph
 
Reported: 2016-02-04 11:58 EST by Hubert Kario
Modified: 2016-05-10 17:10 EDT (History)
7 users (show)

See Also:
Fixed In Version: nss-3.21.0-5.el6
Doc Type: Release Note
Doc Text:
Support for SSLv2 has been disabled SSLv2 is insecure and should not be used in current deployments, and thus has been disabled without a way to override. All modern browsers and frameworks cannot negotiate SSLv2 connections in default configuration and many cannot be configured to perform SSLv2 negotiation. A recent OpenSSL vulnerability (CVE-2015-3197) shows that keeping this code is a liability. In addition, upstream has already removed support for SSLv2 (MZBZ#1228555).
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-10 17:10:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
disable ssl2 suppport - libssl part (3.62 KB, patch)
2016-03-03 11:02 EST, Elio Maldonado Batiz
no flags Details | Diff
disable ssl2 support - test scripts part (4.69 KB, patch)
2016-03-03 11:03 EST, Elio Maldonado Batiz
no flags Details | Diff
Add "-c v " to tstclnt invocation for ocsp stapling tests and some SNI tests. (2.18 KB, patch)
2016-03-03 11:07 EST, Elio Maldonado Batiz
no flags Details | Diff
ensure in ssl stress tool invocation lower protocol in range is ssl3 (2.38 KB, patch)
2016-03-03 11:13 EST, Elio Maldonado Batiz
no flags Details | Diff
For ssl authentication tests ensure ssl3 is the minimum and not ssl2 (4.68 KB, patch)
2016-03-03 11:17 EST, Elio Maldonado Batiz
no flags Details | Diff
nss.spec file changes - in patch format (3.32 KB, patch)
2016-03-03 11:18 EST, Elio Maldonado Batiz
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 1228555 None None None 2016-02-04 11:58 EST

  None (edit)
Description Hubert Kario 2016-02-04 11:58:26 EST
Description of problem:
SSLv2 is a protocol known to be insecure for close to 20 years now. Recent OpenSSL vulnerability (CVE-2015-3197) shows that just keeping this code around is a liability. Moreover, upstream plans to remove it soon too: MZBZ#1228555.

Thus support for SSLv2 should be disabled without a way to override.
Comment 10 Elio Maldonado Batiz 2016-03-03 11:02 EST
Created attachment 1132852 [details]
disable ssl2 suppport - libssl part
Comment 11 Elio Maldonado Batiz 2016-03-03 11:03 EST
Created attachment 1132853 [details]
disable ssl2 support - test scripts part
Comment 12 Elio Maldonado Batiz 2016-03-03 11:07 EST
Created attachment 1132855 [details]
Add "-c v " to tstclnt invocation for ocsp stapling tests and some SNI tests.
Comment 13 Elio Maldonado Batiz 2016-03-03 11:13 EST
Created attachment 1132859 [details]
ensure in ssl stress tool invocation lower protocol in range is ssl3

don't rely on default for minimum wnich is currently ssl2
Comment 14 Elio Maldonado Batiz 2016-03-03 11:17 EST
Created attachment 1132860 [details]
For ssl authentication tests ensure ssl3 is the minimum and not ssl2
Comment 15 Elio Maldonado Batiz 2016-03-03 11:18 EST
Created attachment 1132861 [details]
nss.spec file changes - in patch format
Comment 19 errata-xmlrpc 2016-05-10 17:10:20 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0820.html

Note You need to log in before you can comment on or make changes to this bug.