1795550 – [installer][insights] This host is running httpd with SSLv3.0 enabled and is therefore vulnerable to POODLE / CVE-2014-3566

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1795550 - [installer][insights] This host is running httpd with SSLv3.0 enabled and is therefore vulnerable to POODLE / CVE-2014-3566

Summary: [installer][insights] This host is running httpd with SSLv3.0 enabled and is ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1640137
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.6.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Eric Helms
QA Contact:	Devendra Singh
Docs Contact:
URL:
Whiteboard:
Depends On:	1640137
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-28 09:50 UTC by Andreas Bleischwitz
Modified:	2020-08-18 17:09 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-23 12:56:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	29244	0	Normal	Rejected	[installer][insights] This host is running httpd with SSLv3.0 enabled and is therefore vulnerable to POODLE / CVE-2014-3...	2020-08-18 18:59:32 UTC

Description Andreas Bleischwitz 2020-01-28 09:50:09 UTC

Description of problem:
Fresh installation of a RHEL-7.7/Satellite 6.6.1 reports SSLv3.0 enabled

Version-Release number of selected component (if applicable):
satellite-installer-6.6.0.21-1.el7sat.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-7.7/latest Satellite
2. Register insights-client
3. See reports on cloud.redhat.com/insights

Actual results:
"This host is running httpd with SSLv3.0 enabled and is therefore vulnerable to POODLE / CVE-2014-3566" reported by insights rules

Expected results:
Apache's TLS configuration should be limited to TLS-1.2 connections only.

Additional info:

Comment 7 Evgeni Golov 2020-01-31 11:45:17 UTC

The issue is that we don't set a default for "server_ssl_protocol" in https://github.com/theforeman/puppet-foreman/blob/9c1787ad19b2cae407b25958095ecbf78757a959/manifests/params.pp#L154 and the Apache default in RHEL7 is still "all" (not "all -SSLv3" as in newer versions).
As we still want to support EL5 clients (for now), we should probably set this to "all -SSLv3" for now as EL5 needs TLSv1.0 support :/

Comment 8 Eric Helms 2020-03-02 18:58:00 UTC

Created redmine issue https://projects.theforeman.org/issues/29244 from this bug

Comment 9 Bryan Kearney 2020-03-02 19:01:43 UTC

Upstream bug assigned to ehelms

Comment 10 Bryan Kearney 2020-03-02 19:01:44 UTC

Upstream bug assigned to ehelms

Comment 11 Eric Helms 2020-03-03 12:50:24 UTC

The SSL protocol is set at the Apache wide level and not per vhost.

[root@dhcp-1 ~]# grep -r SSLProtocol /etc/httpd/
/etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3

Comment 12 Andreas Bleischwitz 2020-03-04 08:45:10 UTC

@Eric,

I used a fresh installed RHEL7 machine and installed Satellite on it - without any tweaking. I unfortunately had to remove this machine after some time, but the result had been that SSLv3 was still enabled. That is why Insights was complaining about it.

I will try to re-validate on a fresh install and provide the output of your grep command.

Comment 14 Andreas Bleischwitz 2020-03-04 13:36:37 UTC

@Eric,

I took a look at my fresh installed Satellite and it reported the SSLv3 (POODLE) within Insights - implying that SSLv3 is still in use.

[root@sat6-test ~]# grep -r SSLProtocol /etc/httpd/
/etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
[root@sat6-test ~]#

After I added the SSLProtocol setting to the vhost, Insights at least did no longer mention SSLv3, but complained about TLS1.0 - which is expected.

# grep -r SSLProtocol /etc/httpd/
/etc/httpd/conf.d/ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
/etc/httpd/conf.d/05-foreman-ssl.conf:  SSLProtocol all -SSLv2 -SSLv3
[root@sat6-test ~]#

Are you sure that the ssl.conf is taken into account for all vhosts? The tests do not really reflect this.

Comment 17 Eric Helms 2020-03-23 12:56:31 UTC


*** This bug has been marked as a duplicate of bug 1640137 ***

Note You need to log in before you can comment on or make changes to this bug.