Univention Bugzilla – Bug 40998
Disable SSLv3 in UMC (make ciphers/protocol versions configurable)
Last modified: 2017-06-28 15:33:23 CEST
Created attachment 7579 [details] umc_no_ssl3.patch It would be good to disable SSLv3 in UMC. More generally it would be good to make ciphers and protocol versions configurable. In a chat with Florian, he came up with this patch (attached) as a starting point: if ucr['umc_no_ssl3']: self.crypto_context.set_options(SSL.OP_NO_SSLv3)
Requested on Ticket#2016040521000174.
Currently we are doing: self.crypto_context = SSL.Context(SSL.SSLv23_METHOD) self.crypto_context.set_cipher_list('DEFAULT') self.crypto_context.set_options(SSL.OP_NO_SSLv2) http://www.pyopenssl.org/en/stable/api/ssl.html We should imho meanwhile always add: self.crypto_context.set_options(SSL.OP_NO_SSLv3) Also the ciphers could be configurable. DEFAULT maps to "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2". See man 1 ciphers. This strings could simply also be configurable via UCR.
Ticket#2016040521000174 is based on an audit for PCI DSS. The usage of SSLv3 in UMC is a compliance violation and prevents the final certification of the customer.
Created attachment 8934 [details] patch
The patch has been applied. univention-management-console.yaml: r80366 | YAML Bug #39963, Bug #44670, Bug #40998 univention-management-console (9.0.80-47): r80361 | Bug #40998: disable SSLv3 in UMC server and client; make tls ciphers configurable
*** Bug 44833 has been marked as a duplicate of this bug. ***
A secure default would be: ucr set umc/server/ssl/ciphers=HIGH $ openssl s_client -connect localhost:6670 shows then that e.g. AES256-SHA is used.
OK Setting the ucr variable changes the used cipher OK SSLv3 protocol is disabled YAML: OK -> verified
<http://errata.software-univention.de/ucs/4.2/64.html>