1304812 – Disable support for SSLv2 completely.

Bug 1304812 - Disable support for SSLv2 completely.

Summary: Disable support for SSLv2 completely.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	6.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Hubert Kario
Docs Contact:	Jana Heves
URL:
Whiteboard:
Depends On:	1311981
Blocks:	1306607
TreeView+	depends on / blocked

Reported:	2016-02-04 16:58 UTC by Hubert Kario
Modified:	2016-05-10 21:10 UTC (History)
CC List:	7 users (show)
Fixed In Version:	nss-3.21.0-5.el6
Doc Type:	Release Note
Doc Text:	Support for SSLv2 has been disabled SSLv2 is insecure and should not be used in current deployments, and thus has been disabled without a way to override. All modern browsers and frameworks cannot negotiate SSLv2 connections in default configuration and many cannot be configured to perform SSLv2 negotiation. A recent OpenSSL vulnerability (CVE-2015-3197) shows that keeping this code is a liability. In addition, upstream has already removed support for SSLv2 (MZBZ#1228555).
Clone Of:
Environment:
Last Closed:	2016-05-10 21:10:20 UTC
Target Upstream Version:

Attachments	(Terms of Use)
disable ssl2 suppport - libssl part (3.62 KB, patch) 2016-03-03 16:02 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
disable ssl2 support - test scripts part (4.69 KB, patch) 2016-03-03 16:03 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
Add "-c v " to tstclnt invocation for ocsp stapling tests and some SNI tests. (2.18 KB, patch) 2016-03-03 16:07 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
ensure in ssl stress tool invocation lower protocol in range is ssl3 (2.38 KB, patch) 2016-03-03 16:13 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
For ssl authentication tests ensure ssl3 is the minimum and not ssl2 (4.68 KB, patch) 2016-03-03 16:17 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
nss.spec file changes - in patch format (3.32 KB, patch) 2016-03-03 16:18 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0820	normal	SHIPPED_LIVE	nss bug fix and enhancement update	2016-05-10 22:40:02 UTC
Mozilla Foundation	1228555	None	None	None	2016-02-04 16:58:25 UTC

Description Hubert Kario 2016-02-04 16:58:26 UTC

Description of problem:
SSLv2 is a protocol known to be insecure for close to 20 years now. Recent OpenSSL vulnerability (CVE-2015-3197) shows that just keeping this code around is a liability. Moreover, upstream plans to remove it soon too: MZBZ#1228555.

Thus support for SSLv2 should be disabled without a way to override.

Comment 10 Elio Maldonado Batiz 2016-03-03 16:02:07 UTC

Created attachment 1132852 [details]
disable ssl2 suppport - libssl part

Comment 11 Elio Maldonado Batiz 2016-03-03 16:03:49 UTC

Created attachment 1132853 [details]
disable ssl2 support - test scripts part

Comment 12 Elio Maldonado Batiz 2016-03-03 16:07:52 UTC

Created attachment 1132855 [details]
Add "-c v " to tstclnt invocation for ocsp stapling tests and some SNI tests.

Comment 13 Elio Maldonado Batiz 2016-03-03 16:13:43 UTC

Created attachment 1132859 [details]
ensure in ssl stress tool invocation lower protocol in range is ssl3

don't rely on default for minimum wnich is currently ssl2

Comment 14 Elio Maldonado Batiz 2016-03-03 16:17:04 UTC

Created attachment 1132860 [details]
For ssl authentication tests ensure ssl3 is the minimum and not ssl2

Comment 15 Elio Maldonado Batiz 2016-03-03 16:18:35 UTC

Created attachment 1132861 [details]
nss.spec file changes - in patch format

Comment 19 errata-xmlrpc 2016-05-10 21:10:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0820.html

Note You need to log in before you can comment on or make changes to this bug.