Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1566124 - mod_ssl recommends RC4 against upstream advice
Summary: mod_ssl recommends RC4 against upstream advice
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: BaseOS QE - Apps
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-11 14:54 UTC by ripleymj
Modified: 2020-10-15 12:54 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-15 12:54:45 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description ripleymj 2018-04-11 14:54:51 UTC
Description of problem:
The default /etc/httpd/conf.d/ssl.conf contains a section on "Speed-optimized SSL Cipher configuration" which recommends prioritizing RC4 and SHA1. This was removed upstream in 2015 but never backported. As this would only affect new installs and not change behavior of existing installs, it seems to be a very safe change to make.

I had opened this as 1428434, which was closed as a duplicate of 1274890, though that was not really accurate. The original bug was against RHEL 7.3, so I'm attempting this again for 7.5.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install mod_ssl package

Actual results:
Receive unsafe advice

Expected results:
Receive sensible advice

Additional info:
Upstream commit: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?r1=1634736&r2=1679428

Comment 2 Joe Orton 2020-10-15 12:54:45 UTC
Thanks for the feedback.  We don't plan to change the default configuration within the RHEL 7 release.  The issue with recommendations about cipher choices evolving (and becoming outdated, as you suggest) during the RHEL lifecycle has been resolved in RHEL 8.  In RHEL8, the mod_ssl default configuration no longer suggests any particular cipher and instead defers to the system crypto profile definitions.

FYI: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

Note You need to log in before you can comment on or make changes to this bug.