1320566 – Patches enabling TLSv1.2 accidentally enabled SSLv3

Bug 1320566 - Patches enabling TLSv1.2 accidentally enabled SSLv3

Summary: Patches enabling TLSv1.2 accidentally enabled SSLv3

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	stunnel
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-23 14:02 UTC by Stefan Kremen
Modified:	2016-03-23 14:13 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-23 14:13:19 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Stefan Kremen 2016-03-23 14:02:34 UTC

Description of problem:
In stunnel-4.29-3.el6_6.1 in default configuration, when Server Hello advertises SSL 3.0 only, stunnel replies with "Handshake Failure" and rejects the connection.
Now in stunnel-4.29-6.el6 in default configuration stunnel accepts SSL 3.0 which is insecure.

Version-Release number of selected component (if applicable):
stunnel-4.29-6.el6

How reproducible:
always

Steps to Reproduce:
1. configure stunnel without sslVersion directive in stunnel.conf
2. configure "openssl s_server" with "-ssl3" option

Actual results:
Connection from stunnel to s_server established

Expected results:
Connection from stunnel to s_server rejected

Additional info:

Comment 1 Tomas Mraz 2016-03-23 14:13:19 UTC

The change was not accidental. This is fix for bug 1215707.

Note You need to log in before you can comment on or make changes to this bug.