Bug #2921
Protection against POODLE SSLv3 Vulnerability
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | <multiple packages> | |||
Target version: | v6.5 | |||
Security class: | Resolution: | |||
Affected version: | v6.5 | NEEDINFO: | No |
Description
POODLE SSLv3 vulnerability has to be fixed on the following services:
ldapimap/popsmtpejabber- httpd
- httpd-admin
mysqlopenvpnipsec- ...
Edit
The vulnerability affects SSLv3-only hosts, or TLS hosts supporting protocol downgrade to SSLv3.
On the server side protocol downgrade is disabled since openssl-1.0.1e-30.el6_5.2.x86_64
release. Server restart is recommended.
Related issues
Associated revisions
httpd-admin configuration: fix POODLE vulnerability. Refs #2921
Enable only TLS v1 ciphers.
ssl.conf: fix POODLE vulnerability. Refs #2921
Disable SSLv3 protocol
ssl.conf: removed httpd/SSLv2 prop expansion. Refs #2921
- Removed httpd/SSLv2 prop from template and migration action
- Retained httpd/SSLCipherSuite prop: if set to empty string, Apache
defaults are applied.
Configuration DB: remove obsolete httpd/SSLv2 prop. Refs #2921
History
#1 Updated by Giacomo Sanchietti almost 7 years ago
See also https://access.redhat.com/solutions/1234843 for OpenLDAP and cups.But I'd rather not apply the stunell solution.
Regarding OpenLDAP, if clients are using TLS the problems does not exists (see: http://web.archiveorange.com/archive/v/rG8zFlv6OIly0DLZ7cT5).
CUPS should not be really a problem because no sensitive information is travelling between SSL clients and server.
#2 Updated by Davide Principi almost 7 years ago
- Description updated (diff)
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
Upgrading of clients is recommended. SSLv3 must not be used any more.
#3 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
#4 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-httpd-admin-1.3.2-1.1git6f5c747.ns6.noarch.rpm
nethserver-httpd-2.3.2-1.0git599d3b0f.ns6.noarch.rpm
#5 Updated by Giacomo Sanchietti almost 7 years ago
- Assignee set to Giacomo Sanchietti
#6 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
VERIFIED
BUT on migrated machines, the property SSLv2
is set to enabled, so SSLv2 and SSLv3 are still both enabled after the updated.
I propose to get rid of SSLv2 option (even from defaults and migration).
Before update (same results on port 980 and 443):
[giacomo@giacomo rpms]$ openssl s_client -connect 192.168.5.246:443 -ssl3 CONNECTED(00000003) depth=0 C = --, ST = SomeState, L = Hometown, O = Example Org, OU = Main, CN = localhost.localdomain, emailAddress = admin@localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 C = --, ST = SomeState, L = Hometown, O = Example Org, OU = Main, CN = localhost.localdomain, emailAddress = admin@localhost.localdomain verify return:1 --- Certificate chain 0 s:/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain i:/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain --- Server certificate -----BEGIN CERTIFICATE----- MIIDFTCCAn6gAwIBAgIEU04zgjANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMC LS0xEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UEBwwISG9tZXRvd24xFDASBgNV BAoMC0V4YW1wbGUgT3JnMQ0wCwYDVQQLDARNYWluMR4wHAYDVQQDDBVsb2NhbGhv c3QubG9jYWxkb21haW4xKjAoBgkqhkiG9w0BCQEWG2FkbWluQGxvY2FsaG9zdC5s b2NhbGRvbWFpbjAeFw0xNDA0MTYwNzM4NDJaFw0yNDA0MTMwNzM4NDJaMIGlMQsw CQYDVQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhIb21ldG93 bjEUMBIGA1UECgwLRXhhbXBsZSBPcmcxDTALBgNVBAsMBE1haW4xHjAcBgNVBAMM FWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEqMCgGCSqGSIb3DQEJARYbYWRtaW5AbG9j YWxob3N0LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1 AtZsOtTzk4JPu3jCcPISAHgfEkZio04DXkLPJJlEzUREGjcECtSlOMwKB8yZYZDu 9ZnCzeSQF/bk2UwbD88BM0ofG+xeojUCAPZLRu9zndTDm5zyyn53dmhshmSOQnK0 +qMBX2zXTjZxXnCwfRYD+s1pQL8o/98OsUeeIxQKawIDAQABo1AwTjAdBgNVHQ4E FgQURLKkOr3ayUuqKoDpMPPYr52N/fwwHwYDVR0jBBgwFoAURLKkOr3ayUuqKoDp MPPYr52N/fwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAEEw8JhcGI 0wtRm8HYrLb24O2htixwOA13GiOlnJSKEseE5H8orQnGgyJaM+berAG2l9TUi6I8 AvPmD3+Spl8Y3fmmUUzc5LF0Je5/TR9hNfOEMAxUuqfu1vDWsX8wVu1KMtJ1bQvS 3b/85KO1GvAHpP6ZRZWXcOwYePk7/n3HAw== -----END CERTIFICATE----- subject=/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain issuer=/C=--/ST=SomeState/L=Hometown/O=Example Org/OU=Main/CN=localhost.localdomain/emailAddress=admin@localhost.localdomain --- No client certificate CA names sent --- SSL handshake has read 1380 bytes and written 338 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 3C712467F73B8D684553D9D12E84EFD498A1BFBF225ECB7D887AAF66C4B56884 Session-ID-ctx: Master-Key: 207309B25AC231DCE66FD8D9C1647E750A2D3A0DAAC039BE0F1E7D948577CE8C36F43FF4440620864D82C95DDC121622 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1413819513 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) ---
After updates:
[giacomo@giacomo rpms]$ openssl s_client -connect 192.168.5.246:443 -ssl3 CONNECTED(00000003) 139773201012608:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 139773201012608:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1413819531 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
#7 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from VERIFIED to ON_QA
- % Done changed from 90 to 70
#8 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
#9 Updated by Giacomo Sanchietti almost 7 years ago
- get rid of SSLv2 property: delete it from defaults and migration
- create a static template fragment for SSLProtocols
- disable both SSLv2 and SSLv3 protocols
#10 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#11 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
#12 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:nethserver-httpd-2.3.2-2.0gitaca8d70d.ns6.noarch.rpm
nethserver-httpd-2.3.2-3.0git998e1b04.ns6.noarch.rpm
NOTE for Packager / Release
SSL connections from IE6 browser on Windows XP are not supported!
#13 Updated by Giacomo Sanchietti almost 7 years ago
- Assignee set to Giacomo Sanchietti
#14 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
VERIFIED with new implementation:
[root@mail ~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf SSLProtocol All -SSLv2 -SSLv3 [root@mail ~]# config getprop httpd SSLv2 [root@mail ~]#
#15 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-httpd-admin-1.3.3-1.ns6.noarch.rpm
nethserver-httpd-2.3.3-1.ns6.noarch.rpm
See also, ML announce
#16 Updated by Davide Principi almost 6 years ago
- Related to Enhancement #3246: Upgrade SSL/TLS defaults on 6.7 added