Bug 1304812 - Disable support for SSLv2 completely.
Summary: Disable support for SSLv2 completely.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Elio Maldonado Batiz
QA Contact: Hubert Kario
Jana Heves
URL:
Whiteboard:
Depends On: 1311981
Blocks: 1306607
TreeView+ depends on / blocked
 
Reported: 2016-02-04 16:58 UTC by Hubert Kario
Modified: 2016-05-10 21:10 UTC (History)
7 users (show)

Fixed In Version: nss-3.21.0-5.el6
Doc Type: Release Note
Doc Text:
Support for SSLv2 has been disabled SSLv2 is insecure and should not be used in current deployments, and thus has been disabled without a way to override. All modern browsers and frameworks cannot negotiate SSLv2 connections in default configuration and many cannot be configured to perform SSLv2 negotiation. A recent OpenSSL vulnerability (CVE-2015-3197) shows that keeping this code is a liability. In addition, upstream has already removed support for SSLv2 (MZBZ#1228555).
Clone Of:
Environment:
Last Closed: 2016-05-10 21:10:20 UTC
Target Upstream Version:


Attachments (Terms of Use)
disable ssl2 suppport - libssl part (3.62 KB, patch)
2016-03-03 16:02 UTC, Elio Maldonado Batiz
no flags Details | Diff
disable ssl2 support - test scripts part (4.69 KB, patch)
2016-03-03 16:03 UTC, Elio Maldonado Batiz
no flags Details | Diff
Add "-c v " to tstclnt invocation for ocsp stapling tests and some SNI tests. (2.18 KB, patch)
2016-03-03 16:07 UTC, Elio Maldonado Batiz
no flags Details | Diff
ensure in ssl stress tool invocation lower protocol in range is ssl3 (2.38 KB, patch)
2016-03-03 16:13 UTC, Elio Maldonado Batiz
no flags Details | Diff
For ssl authentication tests ensure ssl3 is the minimum and not ssl2 (4.68 KB, patch)
2016-03-03 16:17 UTC, Elio Maldonado Batiz
no flags Details | Diff
nss.spec file changes - in patch format (3.32 KB, patch)
2016-03-03 16:18 UTC, Elio Maldonado Batiz
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0820 normal SHIPPED_LIVE nss bug fix and enhancement update 2016-05-10 22:40:02 UTC
Mozilla Foundation 1228555 None None None 2016-02-04 16:58:25 UTC

Description Hubert Kario 2016-02-04 16:58:26 UTC
Description of problem:
SSLv2 is a protocol known to be insecure for close to 20 years now. Recent OpenSSL vulnerability (CVE-2015-3197) shows that just keeping this code around is a liability. Moreover, upstream plans to remove it soon too: MZBZ#1228555.

Thus support for SSLv2 should be disabled without a way to override.

Comment 10 Elio Maldonado Batiz 2016-03-03 16:02:07 UTC
Created attachment 1132852 [details]
disable ssl2 suppport - libssl part

Comment 11 Elio Maldonado Batiz 2016-03-03 16:03:49 UTC
Created attachment 1132853 [details]
disable ssl2 support - test scripts part

Comment 12 Elio Maldonado Batiz 2016-03-03 16:07:52 UTC
Created attachment 1132855 [details]
Add "-c v " to tstclnt invocation for ocsp stapling tests and some SNI tests.

Comment 13 Elio Maldonado Batiz 2016-03-03 16:13:43 UTC
Created attachment 1132859 [details]
ensure in ssl stress tool invocation lower protocol in range is ssl3

don't rely on default for minimum wnich is currently ssl2

Comment 14 Elio Maldonado Batiz 2016-03-03 16:17:04 UTC
Created attachment 1132860 [details]
For ssl authentication tests ensure ssl3 is the minimum and not ssl2

Comment 15 Elio Maldonado Batiz 2016-03-03 16:18:35 UTC
Created attachment 1132861 [details]
nss.spec file changes - in patch format

Comment 19 errata-xmlrpc 2016-05-10 21:10:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0820.html


Note You need to log in before you can comment on or make changes to this bug.