Bug 38632 – apache2: Make SSLCipherSuite configurable (3.2)

Bug 38632 - apache2: Make SSLCipherSuite configurable (3.2)


Summary:	apache2: Make SSLCipherSuite configurable (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Apache
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 3.2-6-errata
Assigned To:	Philipp Hahn
QA Contact:	Erik Damrose

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-06-01 15:17 CEST by Arvid Requate
Modified:	2018-01-18 09:39 CET (History)
CC List:	6 users (show)

See Also:	27656 46065
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-06-01 15:17:17 CEST

It would be good to backport the configurability of the SSLCipherSuite option to allow uses to mitigate the effects of the Logjam issue.


Note: The option SSLCompression is not yet available in apache 2.2.16-6+squeeze12, so no protection against the "CRIME" MITM attack without backporting the patch from 2.2.22-12. Likewise, the option SSLProtocol doesn't support TLSv1.2 yet in that version.


+++ This bug was initially created as a clone of Bug #37566 +++

It would be useful to allow more configuration options for mod_ssl (it's already a UCR template: /etc/univention/templates/files/etc/apache2/mods-available/ssl.conf)

Comment 1 Philipp Hahn

2015-07-07 15:13:04 CEST

FYI: Bug #36173 already added options to disable SSLv2 and SSLv3 (r54575,r54554) in UCS-3.2-3

FYI: Apache-2.2 in UCS-3.2 only supports TLSv1.0, not 1.1 or newer!

r61842 | Bug #38632 Apache: Add UCRVs to configure more SSL options
 Add apache2/ssl/ciphersuite and apache2/ssl/honorcipherorder


Package: univention-apache
Version: 6.0.16-10.239.201507071454
Branch: ucs_3.2-0
Scope: errata3.2-6

r61844 | Bug #38632 Apache: Add UCRVs to configure more SSL options YAML
 2015-07-06-univention-apache.yaml


QA: See Bug #27656 for some tests - also work on UCS-3.2-6.

Comment 2 Erik Damrose

2015-07-13 10:00:59 CEST

OK: backport from UCS 4
OK: with default settings applied, the ssllabs check for cipher strength improves from 60/100 to 90/100
OK: yaml
Reopen: r61842 introduces a link from UCRV apache2/ssl/tlsv11 to ssl.conf - but the variable not evaluated. Probably a remnant from the backport, as apache 2.2 does not support TLS 1.1 as mentioned in comment #1. Please remove the variable from univention-apache.univention-config-registry to avoid confusion.

Comment 3 Philipp Hahn

2015-07-13 13:15:15 CEST

(In reply to Erik Damrose from comment #2)
> Reopen: r61842 introduces a link from UCRV apache2/ssl/tlsv11 to ssl.conf -

r62065 | Bug #38632 Apache: Remove unsupported UCRVs for TLSv1.1
 - apache2/ssl/tlsv11

Package: univention-apache
Version: 6.0.16-11.240.201507131307
Branch: ucs_3.2-0
Scope: errata3.2-6

r62066 | Bug #38632 Apache: Remove unsupported UCRVs for TLSv1.1 YAML
 2015-07-06-univention-apache.yaml

Comment 4 Erik Damrose

2015-07-13 13:25:49 CEST

OK: removal of apache2/ssl/tlsv11
OK: yaml
-> Verified

Comment 5 Janek Walkenhorst

2015-07-16 15:12:11 CEST

<http://errata.univention.de/ucs/3.2/345.html>