Univention Bugzilla – Full Text Bug Listing |
Summary: | apache: SSL3 protocol attack (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
Component: | Security updates | Assignee: | Janek Walkenhorst <walkenhorst> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Moritz Muehlenhoff
2014-10-15 10:58:25 CEST
Fixed. Advisory: 2014-10-16-univention-apache.yaml Tests: OK OK # SSLv2 no -> wget --secure-protocol=SSLv2 https://10.200.7.150 --no-check-certificate --2014-10-17 09:42:09-- https://10.200.7.150/ Abgebrochen (Speicherabzug geschrieben) (???) # SSLv3 no -> wget --secure-protocol=SSLv3 https://10.200.7.150 --no-check-certificate --2014-10-17 09:42:11-- https://10.200.7.150/ Verbindungsaufbau zu 10.200.7.150:443... verbunden. OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Es ist nicht möglich, eine SSL-Verbindung herzustellen. # TLS yes -> wget --secure-protocol=TLSv1 https://10.200.7.150 --no-check-certificate ... 2014-10-17 09:42:14 (29,5 MB/s) - »»index.html.1«« gespeichert [4412/4412] https with firefox/chrome still works (TLS 1) OK - YAML It should be possible to override the deactivation via UCR. (In reply to Janek Walkenhorst from comment #4) > It should be possible to override the deactivation via UCR. [apache2/ssl/v2] Description[en]=Enables the insecure protocoll SSL 2.0 (Default: no) Type=bool [apache2/ssl/v3] Description[en]=Enables the insecure protocoll SSL 3.0 (Default: no) Type=bool Advisory: 2014-10-16-univention-apache.yaml OK |