Re: Freeze Break: SSLv3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+1 here, though additional testing of the koji change can't hurt.

-Ricky

On 10/14/2014 09:32 PM, Kevin Fenzi wrote:
> There's been a vulnerability discovered in SSLv3 that basically allows
> attackers to decrypt it. ;( 
> 
> I would like to apply the following and disable it on our sites for now
> until and unless we find a better solution in coming days. 
> 
> Note that I am likely going to try and test the koji change in stg first
> and might adjust it some. 
> 
> I'll also likely apply this soon anyhow as it's a security issue,
> but more eye's +1's welcome. 
> 
> kevin
> --
> diff --git a/configs/httpd/websites/infrastructure.fedoraproject.org.conf b/configs/httpd/websites/infrastructur
> index 2d8a8dc..2d197eb 100644
> --- a/configs/httpd/websites/infrastructure.fedoraproject.org.conf
> +++ b/configs/httpd/websites/infrastructure.fedoraproject.org.conf
> @@ -56,7 +56,7 @@
>    # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
>    # If you change the protocols or cipher suites, you should probably update
>    # modules/squid/files/squid.conf-el6 too, to keep it in sync.
> -  SSLProtocol +SSLv3 +TLSv1
> +  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC
>  
>    Include "conf.d/infrastructure.fedoraproject.org/*.conf"
> diff --git a/configs/system/fedorapeople/people.conf b/configs/system/fedorapeople/people.conf
> index 113321b..674f28a 100644
> --- a/configs/system/fedorapeople/people.conf
> +++ b/configs/system/fedorapeople/people.conf
> @@ -36,7 +36,7 @@ NameVirtualHost [2610:28:3090:3001:5054:ff:fedb:7f5a]:443
>    SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert
>    SSLHonorCipherOrder On
>    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC
> -  SSLProtocol +SSLv3 +TLSv1
> +  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>  
>    Header add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
>  
> diff --git a/configs/system/planet/planet.conf b/configs/system/planet/planet.conf
> index 0ee76fc..ed80bcc 100644
> --- a/configs/system/planet/planet.conf
> +++ b/configs/system/planet/planet.conf
> @@ -47,7 +47,7 @@
>      SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert
>      SSLHonorCipherOrder On
>      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
> -    SSLProtocol +SSLv3 +TLSv1
> +    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>  
>      DocumentRoot "/srv/planet/site/"
>  
> diff --git a/configs/web/fedorahosted.org.conf b/configs/web/fedorahosted.org.conf
> index f3476c2..b5ac057 100644
> --- a/configs/web/fedorahosted.org.conf
> +++ b/configs/web/fedorahosted.org.conf
> @@ -23,7 +23,7 @@ Listen 443
>      SSLCertificateChainFile /etc/httpd/conf.d/fedorahosted.org/wildcard-2014.fedorahosted.org.intermediate.cert
>      SSLHonorCipherOrder On
>      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
> -    SSLProtocol +SSLv3 +TLSv1
> +    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>  
>      Header add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" 
>  
> diff --git a/configs/web/git.fedorahosted.org.conf b/configs/web/git.fedorahosted.org.conf
> index bba8519..f670515 100644
> --- a/configs/web/git.fedorahosted.org.conf
> +++ b/configs/web/git.fedorahosted.org.conf
> @@ -21,7 +21,7 @@ Alias   /robots.txt /srv/web/fedorahosted.org/robots.txt
>      SSLCertificateChainFile /etc/httpd/conf.d/fedorahosted.org/wildcard-2014.fedorahosted.org.intermediate.cert
>      SSLHonorCipherOrder On
>      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
> -    SSLProtocol +SSLv3 +TLSv1
> +    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>  
>      Alias /cgit-data /usr/share/cgit
>      ScriptAlias /cgit /var/www/cgi-bin/cgit
> diff --git a/configs/web/koji-ssl.conf b/configs/web/koji-ssl.conf
> index 93696c8..307e82d 100644
> --- a/configs/web/koji-ssl.conf
> +++ b/configs/web/koji-ssl.conf
> @@ -97,7 +97,7 @@ SSLEngine on
>  #   SSL Protocol support:
>  # List the enable protocol levels with which clients will be able to
>  # connect.  Disable SSLv2 access by default:
> -SSLProtocol all -SSLv2
> +SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>  
>  #   SSL Cipher Suite:
>  # List the ciphers that the client is permitted to negotiate.
> diff --git a/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf b/configs/web/pkgs.fedoraproject.org/looka
> index bf41146..bfb44d6 100644
> --- a/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf
> +++ b/configs/web/pkgs.fedoraproject.org/lookaside-upload.conf
> @@ -29,8 +29,7 @@ SSLCryptoDevice builtin
>      SSLCARevocationFile  /etc/pki/tls/crl.pem
>  
>      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
> -    SSLProtocol +SSLv3 +TLSv1
> -
> +    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>  
>  # Must be 'optional' everywhere in order to have POST operations work to upload.cgi
>      SSLVerifyClient optional
> diff --git a/modules/httpd/templates/website.conf.erb b/modules/httpd/templates/website.conf.erb
> index 668c090..817b5ef 100644
> --- a/modules/httpd/templates/website.conf.erb
> +++ b/modules/httpd/templates/website.conf.erb
> @@ -42,7 +42,7 @@
>    # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
>    # If you change the protocols or cipher suites, you should probably update
>    # modules/squid/files/squid.conf-el6 too, to keep it in sync.
> -  SSLProtocol +SSLv3 +TLSv1
> +  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-EC
>  
>    Include "conf.d/<%= name %>/*.conf"
> diff --git a/modules/puppet/files/puppetmaster.conf b/modules/puppet/files/puppetmaster.conf
> index 4294a14..08a6d3b 100644
> --- a/modules/puppet/files/puppetmaster.conf
> +++ b/modules/puppet/files/puppetmaster.conf
> @@ -58,6 +58,7 @@ user apache
>      ServerName master.puppetmanaged.org
>      SSLEngine on
>      SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
> +    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
>      SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.pem
>      SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.pem
>      SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
> diff --git a/modules/squid/files/squid.conf-el6 b/modules/squid/files/squid.conf-el6
> index 80b8e86..123af78 100644
> --- a/modules/squid/files/squid.conf-el6
> +++ b/modules/squid/files/squid.conf-el6
> @@ -1,5 +1,5 @@
>  http_port 80 defaultsite=kojipkgs.fedoraproject.org
> -https_port 443 defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc
> +https_port 443 defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc
>  
>  cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs
>  hierarchy_stoplist cgi-bin ?
> 
> 
> 
> _______________________________________________
> infrastructure mailing list
> infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
> 


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux