Univention Bugzilla – Bug 36232
apache: SSL3 protocol attack (4.0)
Last modified: 2015-01-13 11:26:22 CET
+++ This bug was initially created as a clone of Bug #36173 +++ We should raise the minimum TLS version used by Apache to 1.0 Browsers which don't even support TLS are incompatible with the UMC and every other web application offered in the App Center. => merge changes to UCS 4.0
Since the changes have not been merged, SSLv3 is back in UCS 4.0: > openssl s_client -connect 10.200.30.21:443 -ssl3 > ... > SSL handshake has read 3405 bytes and written 288 bytes > ... > SSL-Session: > Protocol : SSLv3 > Cipher : ECDHE-RSA-AES256-SHA > ... A system with 3.2-x and errata 225 returns a handshake failure to the command above, which is the desired behaviour.
The changes have been partially merged into UCS 4.0 in revision 57253. I've dropped the UCR variable apache2/ssl/v2; in Wheezy/UCS 4.0 it is no longer possible to enable SSLv2 since it is no longer enabled in OpenSSL. As such, enabling it would require a rebuild of OpenSSL.
YAML file: 2015-01-12-univention-apache.yaml I've filed Bug 37517 for the creation of a regression test.
Code review: OK Advisory: OK Tests: OK
http://errata.univention.de/ucs/4.0/31.html