Bug 40998 - Disable SSLv3 in UMC (make ciphers/protocol versions configurable)
Disable SSLv3 in UMC (make ciphers/protocol versions configurable)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 enhancement (vote)
: UCS 4.2-1-errata
Assigned To: Florian Best
Johannes Keiser
:
: 44833 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-05 13:09 CEST by Arvid Requate
Modified: 2017-06-28 15:33 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Ticket number: 2016040521000174, 2017061521000462
Bug group (optional): External feedback, Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments
umc_no_ssl3.patch (606 bytes, patch)
2016-04-05 13:09 CEST, Arvid Requate
Details | Diff
patch (3.73 KB, patch)
2017-06-19 20:07 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-04-05 13:09:44 CEST
Created attachment 7579 [details]
umc_no_ssl3.patch

It would be good to disable SSLv3 in UMC.

More generally it would be good to make ciphers and protocol versions configurable.

In a chat with Florian, he came up with this patch (attached) as a starting point:

if ucr['umc_no_ssl3']: self.crypto_context.set_options(SSL.OP_NO_SSLv3)
Comment 1 Arvid Requate univentionstaff 2016-04-05 13:10:21 CEST
Requested on Ticket#2016040521000174.
Comment 2 Florian Best univentionstaff 2016-04-06 13:30:06 CEST
Currently we are doing:
self.crypto_context = SSL.Context(SSL.SSLv23_METHOD)
self.crypto_context.set_cipher_list('DEFAULT')
self.crypto_context.set_options(SSL.OP_NO_SSLv2)

http://www.pyopenssl.org/en/stable/api/ssl.html

We should imho meanwhile always add:
self.crypto_context.set_options(SSL.OP_NO_SSLv3)

Also the ciphers could be configurable. DEFAULT maps to "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2". See man 1 ciphers.
This strings could simply also be configurable via UCR.
Comment 3 Michael Grandjean univentionstaff 2016-08-24 15:48:44 CEST
Ticket#2016040521000174 is based on an audit for PCI DSS. The usage of SSLv3 in UMC is a compliance violation and prevents the final certification of the customer.
Comment 4 Florian Best univentionstaff 2017-06-19 20:07:31 CEST
Created attachment 8934 [details]
patch
Comment 5 Florian Best univentionstaff 2017-06-20 19:24:56 CEST
The patch has been applied.

univention-management-console.yaml:
r80366 | YAML Bug #39963, Bug #44670, Bug #40998

univention-management-console (9.0.80-47):
r80361 | Bug #40998: disable SSLv3 in UMC server and client; make tls ciphers configurable
Comment 6 Florian Best univentionstaff 2017-06-21 12:03:02 CEST
*** Bug 44833 has been marked as a duplicate of this bug. ***
Comment 7 Florian Best univentionstaff 2017-06-23 17:49:10 CEST
A secure default would be:
ucr set umc/server/ssl/ciphers=HIGH

$ openssl s_client -connect localhost:6670
shows then that e.g. AES256-SHA is used.
Comment 8 Johannes Keiser univentionstaff 2017-06-27 11:32:46 CEST
OK Setting the ucr variable changes the used cipher
OK SSLv3 protocol is disabled
YAML: OK
-> verified
Comment 9 Janek Walkenhorst univentionstaff 2017-06-28 15:33:23 CEST
<http://errata.software-univention.de/ucs/4.2/64.html>