Bug 40998 – Disable SSLv3 in UMC (make ciphers/protocol versions configurable)

Bug 40998 - Disable SSLv3 in UMC (make ciphers/protocol versions configurable)


Summary:	Disable SSLv3 in UMC (make ciphers/protocol versions configurable)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 4.2-1-errata
Assigned To:	Florian Best
QA Contact:	Johannes Keiser

URL:
Keywords:

Duplicates:	44833 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-04-05 13:09 CEST by Arvid Requate
Modified:	2017-06-28 15:33 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016040521000174, 2017061521000462
Bug group (optional):	External feedback, Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
umc_no_ssl3.patch (606 bytes, patch) 2016-04-05 13:09 CEST, Arvid Requate	Details \| Diff
patch (3.73 KB, patch) 2017-06-19 20:07 CEST, Florian Best	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-04-05 13:09:44 CEST

Created attachment 7579 [details]
umc_no_ssl3.patch

It would be good to disable SSLv3 in UMC.

More generally it would be good to make ciphers and protocol versions configurable.

In a chat with Florian, he came up with this patch (attached) as a starting point:

if ucr['umc_no_ssl3']: self.crypto_context.set_options(SSL.OP_NO_SSLv3)

Comment 1 Arvid Requate

2016-04-05 13:10:21 CEST

Requested on Ticket#2016040521000174.

Comment 2 Florian Best

2016-04-06 13:30:06 CEST

Currently we are doing:
self.crypto_context = SSL.Context(SSL.SSLv23_METHOD)
self.crypto_context.set_cipher_list('DEFAULT')
self.crypto_context.set_options(SSL.OP_NO_SSLv2)

http://www.pyopenssl.org/en/stable/api/ssl.html

We should imho meanwhile always add:
self.crypto_context.set_options(SSL.OP_NO_SSLv3)

Also the ciphers could be configurable. DEFAULT maps to "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2". See man 1 ciphers.
This strings could simply also be configurable via UCR.

Comment 3 Michael Grandjean

2016-08-24 15:48:44 CEST

Ticket#2016040521000174 is based on an audit for PCI DSS. The usage of SSLv3 in UMC is a compliance violation and prevents the final certification of the customer.

Comment 4 Florian Best

2017-06-19 20:07:31 CEST

Created attachment 8934 [details]
patch

Comment 5 Florian Best

2017-06-20 19:24:56 CEST

The patch has been applied.

univention-management-console.yaml:
r80366 | YAML Bug #39963, Bug #44670, Bug #40998

univention-management-console (9.0.80-47):
r80361 | Bug #40998: disable SSLv3 in UMC server and client; make tls ciphers configurable

Comment 6 Florian Best

2017-06-21 12:03:02 CEST

*** Bug 44833 has been marked as a duplicate of this bug. ***

Comment 7 Florian Best

2017-06-23 17:49:10 CEST

A secure default would be:
ucr set umc/server/ssl/ciphers=HIGH

$ openssl s_client -connect localhost:6670
shows then that e.g. AES256-SHA is used.

Comment 8 Johannes Keiser

2017-06-27 11:32:46 CEST

OK Setting the ucr variable changes the used cipher
OK SSLv3 protocol is disabled
YAML: OK
-> verified

Comment 9 Janek Walkenhorst

2017-06-28 15:33:23 CEST

<http://errata.software-univention.de/ucs/4.2/64.html>