Bug 13656

Summary: SSL support needs to be improved
Product: Websites Reporter: Olivier Delaune <olivier.delaune>
Component: AllAssignee: Sysadmin Team <sysadmin-bugs>
Status: RESOLVED FIXED QA Contact: Atelier Team <atelier-bugs>
Severity: enhancement    
Priority: Normal CC: bjarne.thomsen, doktor5000, filip.komar, makowski.mageia
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Olivier Delaune 2014-07-02 19:39:22 CEST 
I tested mageia.org on ssllabs.com. I got the following result
https://www.ssllabs.com/ssltest/analyze.html?d=mageia.org&s=217.70.188.116

In summary, it says
* This server does not mitigate the CRIME attack. Grade capped to B.
* Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable.
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
* This server is not vulnerable to the Heartbleed attack.

Could you update the server to take into account thiese remarks?

Reproducible: 

Steps to Reproduce:
Olivier Delaune 2014-07-02 19:39:32 CEST

Summary: SSL support needs to be improvec => SSL support needs to be improved

Manuel Hiebel 2014-07-02 20:37:43 CEST

Assignee: atelier-bugs => sysadmin-bugs
QA Contact: (none) => atelier-bugs

Comment 1 Olivier Delaune 2014-10-23 09:30:22 CEST 
A new test gives now

* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO »
* This server does not mitigate the CRIME attack. Grade capped to B.
* Certificate uses SHA1 and expires after 2016. Upgrade to SHA256 as soon as possible to avoid browser warnings.  MORE INFO »
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.  MORE INFO » 

In these conditions, I think it is really dangerous to keep the https version of mageia.org: users think their communication with mageia.org are protected which is not really the case...
Comment 2 Florian Hubold 2014-11-27 14:17:29 CET 
Ping?

CC: (none) => doktor5000

Comment 3 Olivier Delaune 2015-02-04 22:58:32 CET 
Few months after, it gives
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.   MORE INFO »
Certificate has a weak signature and expires after 2016. Upgrade to SHA2 to avoid browser warnings.  MORE INFO »
* This server accepts the RC4 cipher, which is weak. Grade capped to B.  MORE INFO »
* The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
* This site works only in browsers with SNI support.
* This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

Briefly, it is a bit better, but there is still this POODLE attack vulnerability...
Comment 4 Filip Komar 2015-05-22 13:36:24 CEST 
*** Bug 16013 has been marked as a duplicate of this bug. ***

CC: (none) => bjarne.thomsen

Comment 5 Philippe Makowski 2015-09-19 18:43:05 CEST 
For apache, using these settings would help :

        SSLVerifyClient none
        SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
        SSLHonorCipherOrder on
        SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM 

and also :
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

CC: (none) => makowski.mageia

Comment 6 Filip Komar 2016-05-30 10:50:37 CEST 
According to ssllabs site Overall Rating is now declared as A.

Status: NEW => RESOLVED
CC: (none) => filip.komar
Resolution: (none) => FIXED