[Bug 693479] New: Harden SSL cipher suites strength and SSL protocol support of /etc/apache2/vhosts.d/vhost-ssl.template
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c0 Summary: Harden SSL cipher suites strength and SSL protocol support of /etc/apache2/vhosts.d/vhost-ssl.template Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: i586 OS/Version: openSUSE 11.4 Status: NEW Severity: Enhancement Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: adimcev@carbonwind.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Testing the default configuration of the SSL part(included mod_ssl)of Apache2 of OpenSuse 11.4(i586, DVD install) was noted that the default /etc/apache2/vhosts.d/vhost-ssl.template configuration regarding SSL cipher suite strength and SSL protocol support is pretty bad: SSL 2.0 is enabled, weak cipher suites(DES based) and export cipher suites(including RC2 based ones) are enabled. -> these should be disabled by default. Test results: http://www.carbonwind.net/blog/post/On-scope-default-SSLTLS-settings-shipped... Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2011-05-13 10:19:18 CEST --- Yes. The next openSUSE will come with a better default config. https://build.opensuse.org/request/show/66521 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c2 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |DUPLICATE --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2011-05-13 10:48:42 CEST --- actually a dup of bug 688472 which is scheduled to be fixed for sle10 and sle11 with the next apache update. Just realizing that you are the author of the blog post I have question too. What did you mean by "Suse Linux Enterprise Server 11 SP1 fails to ship a proper SSL/TLS sample configuration."? Later on in the post you wrote "Did not encounter major issues either in quickly have a default SSL site up and running on Suse Linux Enterprise Server 11 SP1." *** This bug has been marked as a duplicate of bug 688472 *** http://bugzilla.novell.com/show_bug.cgi?id=688472 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c3 --- Comment #3 from Adrian Dimcev <adimcev@carbonwind.net> 2011-05-13 12:27:50 UTC --- "Suse Linux Enterprise Server 11 SP1 fails to ship a proper SSL/TLS sample configuration." -> in the context of "The results are somehow mixed." -> where results = "Specifically basic settings were verified, nothing really advanced; the SSL/TLS protocols enabled by default(SSL 2.0 to be disabled as per RFC 6176), cipher suites enabled by default(if any weak or export ciphers suites are enabled), secure renegotiation patch support and the underlying OpenSSL version shipped with the OS." "Did not encounter major issues either in quickly have a default SSL site up and running on Suse Linux Enterprise Server 11 SP1." -> a few words mentioning that for the test's needed functionality(have a default HTTPS web site up and running, point the scanner against it and obtain the results) no issues were encountered and the setup was easy. So basically it's easy to have a default HTTPS web site up and running but in terms of SSL protocol version and cipher suites support the default configuration is inappropriate. Thanks, Adrian -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c4 --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2011-05-13 14:54:43 CEST --- Ah. the "fails to ship a proper SSL/TLS sample configuration." could be misunderstood as "doesn't ship a usable config". No doubt about the weird settings it contains though. We'll fix that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c5 --- Comment #5 from Adrian Dimcev <adimcev@carbonwind.net> 2011-05-13 13:03:27 UTC --- Sorry for the confusion, I've change that blog entry line to: "Suse Linux Enterprise Server 11 SP1 fails to ship a proper SSL/TLS sample configuration in terms of SSL protocol cipher suites support(SSL 2.0 was enabled, as well as weak/export cipher suites)." If it's still misleading please let me know. Thanks, Adrian -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c6 --- Comment #6 from Ludwig Nussel <lnussel@novell.com> 2011-05-13 15:12:03 CEST --- Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c7 Roman Drahtmueller <draht@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |draht@novell.com --- Comment #7 from Roman Drahtmueller <draht@novell.com> 2011-06-28 03:12:31 UTC --- dupe to bnc#688472; for reference: package submitted with corresponding fix also to SLE11-SP1,2 in cumulative update with libapr1 and libapr-util1. Dear security-team, please reassign to maint-coord@suse.de if applicable to coordinate the cumulative update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=693479 https://bugzilla.novell.com/show_bug.cgi?id=693479#c8 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:released:sle11-sp1:43 | |888 --- Comment #8 from Swamp Workflow Management <swamp@suse.de> 2011-11-04 04:16:37 UTC --- Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com