Univention Bugzilla – Bug 40998
Disable SSLv3 in UMC (make ciphers/protocol versions configurable)
Last modified: 2017-06-28 15:33:23 CEST
Created attachment 7579 [details]
It would be good to disable SSLv3 in UMC.
More generally it would be good to make ciphers and protocol versions configurable.
In a chat with Florian, he came up with this patch (attached) as a starting point:
if ucr['umc_no_ssl3']: self.crypto_context.set_options(SSL.OP_NO_SSLv3)
Requested on Ticket#2016040521000174.
Currently we are doing:
self.crypto_context = SSL.Context(SSL.SSLv23_METHOD)
We should imho meanwhile always add:
Also the ciphers could be configurable. DEFAULT maps to "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2". See man 1 ciphers.
This strings could simply also be configurable via UCR.
Ticket#2016040521000174 is based on an audit for PCI DSS. The usage of SSLv3 in UMC is a compliance violation and prevents the final certification of the customer.
Created attachment 8934 [details]
The patch has been applied.
r80366 | YAML Bug #39963, Bug #44670, Bug #40998
r80361 | Bug #40998: disable SSLv3 in UMC server and client; make tls ciphers configurable
*** Bug 44833 has been marked as a duplicate of this bug. ***
A secure default would be:
ucr set umc/server/ssl/ciphers=HIGH
$ openssl s_client -connect localhost:6670
shows then that e.g. AES256-SHA is used.
OK Setting the ucr variable changes the used cipher
OK SSLv3 protocol is disabled