Bug 1305779 - Weak ciphers and sslv3 on satellite
Weak ciphers and sslv3 on satellite
Status: CLOSED DUPLICATE of bug 1153826
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
Katello QA List
: Security
Depends On:
Blocks: 1432305 sat6-poodle 1305938
  Show dependency treegraph
Reported: 2016-02-09 03:51 EST by Abel Lopez
Modified: 2017-03-15 10:20 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-06-27 08:15:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Abel Lopez 2016-02-09 03:51:13 EST
Description of problem:
default httpd configs support SSLv3, which causes satellite to get flagged by security auditors checking for SSLv3 POODLE

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Install satellite
2. use any generic SSL checker

Actual results:
red flag for potentially being vulnerable for having SSLv3, weak ciphers

Expected results:
Should be more secure

Additional info:
Had to edit /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf.d/25-puppet.conf
Comment 1 Kurt Seifried 2016-02-09 11:18:29 EST
This is Kurt from Product Security, just to let you know we're keeping an eye on this and I'll be talking to the Satellite 6 people about it. Thanks for reporting this!
Comment 2 Kurt Seifried 2016-02-09 13:03:21 EST
So for securing the SSL/TLS config a good resource is:


For Apache 2.4/OpenSSL 1.0.1e (RHEL7)

SSLProtocol             all -SSLv2 -SSLv3


SSLHonorCipherOrder     on
Comment 3 Kurt Seifried 2016-04-14 12:16:22 EDT
docs on most of our ssl/tls services and how to configure them:

Comment 4 Tomer Brisker 2016-06-27 08:15:34 EDT

*** This bug has been marked as a duplicate of bug 1153826 ***

Note You need to log in before you can comment on or make changes to this bug.