View Issue Details

IDProjectCategoryView StatusLast Update
0014407CentOS-7httpdpublic2018-01-24 17:13
Reporterlocnar1701 
PrioritynormalSeveritytweakReproducibilityalways
Status newResolutionopen 
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014407: mod_ssl ships /etc/httpd/conf.d/ssl.conf without -SSLv3 (POODLE attack vulnerable by default)
Descriptionmod_ssl for Centos 7 (current as of 23 Jan 2018) ships with "SSLProtocol all -SSLv2" by default even after the POODLE attack was made public in 2014.

ssl.conf in /etc/httpd/conf.d should have the following line by default:

SSLProtocol all -SSLv2 -SSLv3
Steps To Reproduce# yum install mod_ssl from repo "updates"
Additional Information# yum info mod_ssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.dal10.us.leaseweb.net
 * epel: mirror.utexas.edu
 * extras: www.gtlib.gatech.edu
 * ius: dfw.mirror.rackspace.com
 * updates: repos-tx.psychz.net
Installed Packages
Name : mod_ssl
Arch : x86_64
Epoch : 1
Version : 2.4.6
Release : 67.el7.centos.6
Size : 224 k
Repo : installed
From repo : updates
Summary : SSL/TLS module for the Apache HTTP Server
URL : http://httpd.apache.org/
License : ASL 2.0
Description : The mod_ssl module provides strong cryptography for the Apache Web
            : server via the Secure Sockets Layer (SSL) and Transport Layer
            : Security (TLS) protocols.

# cat /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=extras&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo
=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

Tagssecurity
abrt_hash
URL

Activities

TrevorH

TrevorH

2018-01-24 17:13

manager   ~0031016

The RHEL 7.5 beta release notes were just put up and one of the bullet points there is "To improve the security of SSL/TLS connections, the default configuration of the httpd mod_ssl module has been changed to disable support for the SSLv3 protocol, and to restrict the use of certain cryptographic cipher suites. This change will affect only fresh installations of the mod_ssl package, so existing users should manually change the SSL configuration as required."

Issue History

Date Modified Username Field Change
2018-01-23 15:22 locnar1701 New Issue
2018-01-23 15:22 locnar1701 Tag Attached: security
2018-01-24 17:13 TrevorH Note Added: 0031016