Bug #2921

Protection against POODLE SSLv3 Vulnerability

Added by Davide Principi almost 5 years ago. Updated almost 5 years ago.

Status:CLOSEDStart date:
Priority:HighDue date:
Assignee:-% Done:

100%

Category:<multiple packages>
Target version:v6.5
Security class: Resolution:
Affected version:v6.5 NEEDINFO:No

Description

POODLE SSLv3 vulnerability has to be fixed on the following services:

  • ldap
  • imap/pop
  • smtp
  • ejabber
  • httpd
  • httpd-admin
  • mysql
  • openvpn
  • ipsec
  • ...
All background informations are available from:

Edit
The vulnerability affects SSLv3-only hosts, or TLS hosts supporting protocol downgrade to SSLv3.

On the server side protocol downgrade is disabled since openssl-1.0.1e-30.el6_5.2.x86_64 release. Server restart is recommended.


Related issues

Related to NethServer 6 - Enhancement #3246: Upgrade SSL/TLS defaults on 6.7 CLOSED

Associated revisions

Revision 6f5c747a
Added by Davide Principi almost 5 years ago

httpd-admin configuration: fix POODLE vulnerability. Refs #2921

Enable only TLS v1 ciphers.

Revision 599d3b0f
Added by Davide Principi almost 5 years ago

ssl.conf: fix POODLE vulnerability. Refs #2921

Disable SSLv3 protocol

Revision aca8d70d
Added by Davide Principi almost 5 years ago

ssl.conf: removed httpd/SSLv2 prop expansion. Refs #2921

  • Removed httpd/SSLv2 prop from template and migration action
  • Retained httpd/SSLCipherSuite prop: if set to empty string, Apache
    defaults are applied.

Revision 998e1b04
Added by Davide Principi almost 5 years ago

Configuration DB: remove obsolete httpd/SSLv2 prop. Refs #2921

History

#1 Updated by Giacomo Sanchietti almost 5 years ago

Add to the list:

See also https://access.redhat.com/solutions/1234843 for OpenLDAP and cups.But I'd rather not apply the stunell solution.
Regarding OpenLDAP, if clients are using TLS the problems does not exists (see: http://web.archiveorange.com/archive/v/rG8zFlv6OIly0DLZ7cT5).
CUPS should not be really a problem because no sensitive information is travelling between SSL clients and server.

#2 Updated by Davide Principi almost 5 years ago

  • Description updated (diff)
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

Upgrading of clients is recommended. SSLv3 must not be used any more.

#3 Updated by Davide Principi almost 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

Execute the test as described here

https://access.redhat.com/articles/1232123

#4 Updated by Davide Principi almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-httpd-admin-1.3.2-1.1git6f5c747.ns6.noarch.rpm
nethserver-httpd-2.3.2-1.0git599d3b0f.ns6.noarch.rpm

#5 Updated by Giacomo Sanchietti almost 5 years ago

  • Assignee set to Giacomo Sanchietti

#6 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

VERIFIED

BUT on migrated machines, the property SSLv2 is set to enabled, so SSLv2 and SSLv3 are still both enabled after the updated.
I propose to get rid of SSLv2 option (even from defaults and migration).

Before update (same results on port 980 and 443):

[giacomo@giacomo rpms]$ openssl s_client -connect 192.168.5.246:443 -ssl3
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = Hometown, O = Example Org, OU = Main, CN = localhost.localdomain, emailAddress = admin@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = Hometown, O = Example Org, OU = Main, CN = localhost.localdomain, emailAddress = admin@localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain
   i:/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFTCCAn6gAwIBAgIEU04zgjANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC
LS0xEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UEBwwISG9tZXRvd24xFDASBgNV
BAoMC0V4YW1wbGUgT3JnMQ0wCwYDVQQLDARNYWluMR4wHAYDVQQDDBVsb2NhbGhv
c3QubG9jYWxkb21haW4xKjAoBgkqhkiG9w0BCQEWG2FkbWluQGxvY2FsaG9zdC5s
b2NhbGRvbWFpbjAeFw0xNDA0MTYwNzM4NDJaFw0yNDA0MTMwNzM4NDJaMIGlMQsw
CQYDVQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhIb21ldG93
bjEUMBIGA1UECgwLRXhhbXBsZSBPcmcxDTALBgNVBAsMBE1haW4xHjAcBgNVBAMM
FWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEqMCgGCSqGSIb3DQEJARYbYWRtaW5AbG9j
YWxob3N0LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1
AtZsOtTzk4JPu3jCcPISAHgfEkZio04DXkLPJJlEzUREGjcECtSlOMwKB8yZYZDu
9ZnCzeSQF/bk2UwbD88BM0ofG+xeojUCAPZLRu9zndTDm5zyyn53dmhshmSOQnK0
+qMBX2zXTjZxXnCwfRYD+s1pQL8o/98OsUeeIxQKawIDAQABo1AwTjAdBgNVHQ4E
FgQURLKkOr3ayUuqKoDpMPPYr52N/fwwHwYDVR0jBBgwFoAURLKkOr3ayUuqKoDp
MPPYr52N/fwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAEEw8JhcGI
0wtRm8HYrLb24O2htixwOA13GiOlnJSKEseE5H8orQnGgyJaM+berAG2l9TUi6I8
AvPmD3+Spl8Y3fmmUUzc5LF0Je5/TR9hNfOEMAxUuqfu1vDWsX8wVu1KMtJ1bQvS
3b/85KO1GvAHpP6ZRZWXcOwYePk7/n3HAw==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain
issuer=/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1380 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 3C712467F73B8D684553D9D12E84EFD498A1BFBF225ECB7D887AAF66C4B56884
    Session-ID-ctx: 
    Master-Key: 207309B25AC231DCE66FD8D9C1647E750A2D3A0DAAC039BE0F1E7D948577CE8C36F43FF4440620864D82C95DDC121622
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413819513
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

After updates:

[giacomo@giacomo rpms]$ openssl s_client -connect 192.168.5.246:443 -ssl3
CONNECTED(00000003)
139773201012608:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139773201012608:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413819531
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

#7 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from VERIFIED to ON_QA
  • % Done changed from 90 to 70

#8 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

#9 Updated by Giacomo Sanchietti almost 5 years ago

New implementation:
  • get rid of SSLv2 property: delete it from defaults and migration
  • create a static template fragment for SSLProtocols
  • disable both SSLv2 and SSLv3 protocols

#10 Updated by Davide Principi almost 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#11 Updated by Davide Principi almost 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#12 Updated by Davide Principi almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-httpd-2.3.2-2.0gitaca8d70d.ns6.noarch.rpm
nethserver-httpd-2.3.2-3.0git998e1b04.ns6.noarch.rpm

NOTE for Packager / Release

SSL connections from IE6 browser on Windows XP are not supported!

#13 Updated by Giacomo Sanchietti almost 5 years ago

  • Assignee set to Giacomo Sanchietti

#14 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

VERIFIED with new implementation:

[root@mail ~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf 
SSLProtocol All -SSLv2 -SSLv3

[root@mail ~]# config getprop httpd SSLv2
[root@mail ~]# 

#15 Updated by Davide Principi almost 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-httpd-admin-1.3.3-1.ns6.noarch.rpm
nethserver-httpd-2.3.3-1.ns6.noarch.rpm

See also, ML announce

#16 Updated by Davide Principi about 4 years ago

Also available in: Atom PDF