httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: Older clients stopped working after server disabled SSLv3
Date Wed, 29 Oct 2014 01:15:35 GMT
On Tue, Oct 28, 2014 at 6:58 PM, Mikhail T. <mi+thun@aldan.algebra.com>
wrote:

>  Hello!
>
> After disabling SSLv3:
>
> SSLOptions ALL -SSLv3
>
> we noticed, that curl itself and libcurl-using programs (such as git)
> stopped working on some of the (older) systems -- such as RHEL5 -- when
> invoked against the https-URLs pointing at the reconfigured servers.
>
> Invoking curl with the -1 option (a.k.a. --tlsv1) worked, but without the
> option curl kept failing -- complaining about SSL protocol error.
> Unfortunately, there is no way to propagate that option through git to the
> underlying libcurl...
>
> On newer systems (RHEL6, FreeBSD9), things are fine, but we have a
> substantial number of those old ones and need a solution...
>
> I was able to find this question:
>
>
> http://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache/
>
> and a patch linked to from one of the answers:
>
> http://pastebin.com/Nvat7xTy
>
> I can confirm, that the patch "works" -- curl and git started working
> after I restarted the rebuilt httpd. And running sslscan against the
> patched server continues to list the "bad" SSLv3 as disabled.
>
> Could somebody, perhaps, begin reviewing it and/or comment even before it
> is formally filed with Bugzilla? I searched there, but could not find
> anything relevant... Thanks! Yours,
>
> -mi
>
>
‚Äč
I was working with someone on a similar problem but they disappeared for
now.  I had come to a similar conclusion for another of their symptoms, but
didn't know enough openssl to understand how it affected the v2open.

They had  a year-old httpd2.4 from EPEL / RH software collections but it's
built against an old openssl, so it isn't aware of tls1.1 and tls1.2 and
that same block of code ends up locking you into exactly TLSv1.0 once you
remove sslv2 and sslv3.  If you leave sslv2, it gets disabled below that
block and none of the equality checks match.  They didn't get to test that
for me yet.

Ironically my colleague was actually reporting the issue with the
v2open/v2hello and they noticed the tls1.1/tls1.2 disappearing issue as
trivia.  But I was not even sure the v2open was really the culprit.

There is an older/pre-poodle PR out there somewhere where the symptom seems
to be the v2hello/v2open disappearing with -SSLv3.

Kaspar, does the v2open require sslv2method? What do you think of the patch
above?

-- 
Eric Covener
covener@gmail.com

Mime
View raw message