Bug 57120

Summary: Disable SSLv3 by default (POODLE)
Product: Apache httpd-2 Reporter: roidelapluie
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: bhanu.karumudi, petr.sumbera
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: poodle patch (add "-SSLv3" to the SSLProtocol directive in the default configuration)
patch for 2.4 to limit SSLDirective macro 'all' to just TLS protocols

Description roidelapluie 2014-10-21 09:55:55 UTC 
Regarding to the latest POODLE disclosure httpd should disable SSLv3 by default.

http://googleonlinesecurity.blogspot.be/2014/10/this-poodle-bites-exploiting-ssl-30.html
Comment 1 roidelapluie 2014-10-21 09:56:56 UTC 
Created attachment 32131 [details]
poodle patch (add "-SSLv3" to the SSLProtocol directive in the default configuration)
Comment 2 Eric Covener 2014-12-29 20:26:30 UTC 
Thanks -- n/a for 2.4 or later, proposed in 2.2.x for backport.
Comment 3 Petr Sumbera 2015-04-07 09:24:09 UTC 
It would be probably better to disable SSLv3 in binary directly and not just in ssl config file. Note that Apache 2.4 doesn't have SSLProtocol diretive in sample ssl config file.

I'm proposing to limit SSL_PROTOCOL_ALL macro just fro TLS protocols. This still allows to use SSLProtocol directive and add +SSLv3 if really needed.
Comment 4 Petr Sumbera 2015-04-07 09:28:41 UTC 
Created attachment 32635 [details]
patch for 2.4 to limit SSLDirective macro 'all' to just TLS protocols
Comment 5 Kaspar Brand 2015-04-08 06:39:27 UTC 
(In reply to Petr Sumbera from comment #3)
> It would be probably better to disable SSLv3 in binary directly

> I'm proposing to limit SSL_PROTOCOL_ALL macro just fro TLS protocols.

I disagree with this approach, for the reason outlined in https://mail-archives.apache.org/mod_mbox/httpd-dev/201410.mbox/%3C5441511D.1070201%40velox.ch%3E. 

Adapting the default in ssl_engine_config.c:modssl_ctx_init() is the solution I'd suggest.
Comment 6 Kaspar Brand 2015-09-19 08:57:55 UTC 
Comment on attachment 32131 [details]
poodle patch (add "-SSLv3" to the SSLProtocol directive in the default configuration)

This was applied to 2.2.x with r1678700, and a similar change was done with the r1679987 commit for 2.4.x.
Comment 7 Kaspar Brand 2015-09-19 09:00:51 UTC 
Comment on attachment 32635 [details]
patch for 2.4 to limit SSLDirective macro 'all' to just TLS protocols

(In reply to Kaspar Brand from comment #5)
> Adapting the default in ssl_engine_config.c:modssl_ctx_init() is the
> solution I'd suggest.

Implemented with the r1703952 trunk commit, marking this patch as obsolete therefore.
Comment 8 Kaspar Brand 2015-09-26 08:14:29 UTC 
(In reply to Kaspar Brand from comment #7)
> Implemented with the r1703952 trunk commit

Proposed for backporting to 2.4.x with r1705398.
Comment 9 Kaspar Brand 2015-09-30 12:11:48 UTC 
Backported to 2.4.x with r1706008. To appear in 2.4.17.