Bug 13656 - SSL support needs to be improved
Summary: SSL support needs to be improved
Status: RESOLVED FIXED
Alias: None
Product: Websites
Classification: Unclassified
Component: All (show other bugs)
Version: trunk
Hardware: All Linux
Priority: Normal enhancement
Target Milestone: ---
Assignee: Sysadmin Team
QA Contact: Atelier Team
URL:
Whiteboard:
Keywords:
: 16013 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-07-02 19:39 CEST by Olivier Delaune
Modified: 2016-05-30 10:50 CEST (History)
4 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Olivier Delaune 2014-07-02 19:39:22 CEST 
I tested mageia.org on ssllabs.com. I got the following result
https://www.ssllabs.com/ssltest/analyze.html?d=mageia.org&s=217.70.188.116

In summary, it says
* This server does not mitigate the CRIME attack. Grade capped to B.
* Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable.
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
* This server is not vulnerable to the Heartbleed attack.

Could you update the server to take into account thiese remarks?

Reproducible: 

Steps to Reproduce:
Olivier Delaune 2014-07-02 19:39:32 CEST

Summary: SSL support needs to be improvec => SSL support needs to be improved

Manuel Hiebel 2014-07-02 20:37:43 CEST

Assignee: atelier-bugs => sysadmin-bugs
QA Contact: (none) => atelier-bugs

Comment 1 Olivier Delaune 2014-10-23 09:30:22 CEST 
A new test gives now

* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO »
* This server does not mitigate the CRIME attack. Grade capped to B.
* Certificate uses SHA1 and expires after 2016. Upgrade to SHA256 as soon as possible to avoid browser warnings.  MORE INFO »
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
* The server does not support Forward Secrecy with the reference browsers.  MORE INFO » 

In these conditions, I think it is really dangerous to keep the https version of mageia.org: users think their communication with mageia.org are protected which is not really the case...
Comment 2 Florian Hubold 2014-11-27 14:17:29 CET 
Ping?

CC: (none) => doktor5000

Comment 3 Olivier Delaune 2015-02-04 22:58:32 CET 
Few months after, it gives
* This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.   MORE INFO »
Certificate has a weak signature and expires after 2016. Upgrade to SHA2 to avoid browser warnings.  MORE INFO »
* This server accepts the RC4 cipher, which is weak. Grade capped to B.  MORE INFO »
* The server does not support Forward Secrecy with the reference browsers.  MORE INFO »
* This site works only in browsers with SNI support.
* This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

Briefly, it is a bit better, but there is still this POODLE attack vulnerability...
Comment 4 Filip Komar 2015-05-22 13:36:24 CEST 
*** Bug 16013 has been marked as a duplicate of this bug. ***

CC: (none) => bjarne.thomsen

Comment 5 Philippe Makowski 2015-09-19 18:43:05 CEST 
For apache, using these settings would help :

        SSLVerifyClient none
        SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
        SSLHonorCipherOrder on
        SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM 

and also :
Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

CC: (none) => makowski.mageia

Comment 6 Filip Komar 2016-05-30 10:50:37 CEST 
According to ssllabs site Overall Rating is now declared as A.

Status: NEW => RESOLVED
CC: (none) => filip.komar
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.