Univention Bugzilla – Full Text Bug Listing |
Summary: | Disable SSLv3 in UMC (make ciphers/protocol versions configurable) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | UMC (Generic) | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Johannes Keiser <keiser> |
Severity: | enhancement | ||
Priority: | P5 | CC: | best, grandjean, klaeser, thorp-hansen |
Version: | UCS 4.2 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.2-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016040521000174, 2017061521000462 | Bug group (optional): | External feedback, Security |
Max CVSS v3 score: | |||
Attachments: |
umc_no_ssl3.patch
patch |
Requested on Ticket#2016040521000174. Currently we are doing: self.crypto_context = SSL.Context(SSL.SSLv23_METHOD) self.crypto_context.set_cipher_list('DEFAULT') self.crypto_context.set_options(SSL.OP_NO_SSLv2) http://www.pyopenssl.org/en/stable/api/ssl.html We should imho meanwhile always add: self.crypto_context.set_options(SSL.OP_NO_SSLv3) Also the ciphers could be configurable. DEFAULT maps to "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2". See man 1 ciphers. This strings could simply also be configurable via UCR. Ticket#2016040521000174 is based on an audit for PCI DSS. The usage of SSLv3 in UMC is a compliance violation and prevents the final certification of the customer. Created attachment 8934 [details]
patch
The patch has been applied. univention-management-console.yaml: r80366 | YAML Bug #39963, Bug #44670, Bug #40998 univention-management-console (9.0.80-47): r80361 | Bug #40998: disable SSLv3 in UMC server and client; make tls ciphers configurable *** Bug 44833 has been marked as a duplicate of this bug. *** A secure default would be: ucr set umc/server/ssl/ciphers=HIGH $ openssl s_client -connect localhost:6670 shows then that e.g. AES256-SHA is used. OK Setting the ucr variable changes the used cipher OK SSLv3 protocol is disabled YAML: OK -> verified |
Created attachment 7579 [details] umc_no_ssl3.patch It would be good to disable SSLv3 in UMC. More generally it would be good to make ciphers and protocol versions configurable. In a chat with Florian, he came up with this patch (attached) as a starting point: if ucr['umc_no_ssl3']: self.crypto_context.set_options(SSL.OP_NO_SSLv3)