Project

General

Profile

Bug #14387

SSLv3 remains enabled on Ruby 1.8.7

Added by Brandon Weeks over 5 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
SSL
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

During testing of Foreman 1.11 I noticed the changes made in #12572 did not effectively disable SSLv3 and caused disparate SSL/TLS protocols to be enabled with Ruby 1.8.7 (EL6) and later version of Ruby (EL7 and other systems).


Related issues

Related to Smart Proxy - Bug #14719: Allow TLSv1 for compatibility with some clients.Rejected2016-04-19

Associated revisions

Revision 41293caa (diff)
Added by Brandon Weeks over 5 years ago

Fixes #14387 - correctly disable SSLv3 on Ruby 1.8.7

History

#1 Updated by The Foreman Bot over 5 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/401 added

#2 Updated by Brandon Weeks over 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#3 Updated by Dominic Cleal over 5 years ago

  • Legacy Backlogs Release (now unused) set to 141

#4 Updated by Jason Smith over 5 years ago

After updating and testing foreman 1.11, our custom php scripts that talk to the foreman proxy through the REST API no longer work. I even tried applying the patch mentioned in this bug, but it still doesn't work. After some debugging and looking at the php documentation, the problem is that TLSv1 would still not be allowed in 1.11.1. According to some user comments in the php documentation:

http://php.net/manual/en/function.curl-setopt.php#115993

Setting php to use TLSv1 or above will only work if you have curl 7.34 or newer. Note, RHEL6 comes with curl 7.19 and RHEL7 comes with curl 7.29. To maintain compatibility with still supported RHEL versions and allow custom 3rd party scripts written in php to connect to the foreman-proxy REST API, this line also needs to be removed from lib/launcher.rb:

ssl_options |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1)

If you are uncomfortable allowing this, then a config setting that could specify the allowed ssl protocols, like apache has, would be useful for those who require this level of compatibility.

#5 Updated by Dominic Cleal over 5 years ago

This ticket's closed, so it's not a good place to try and get something fixed. You would be better off filing a new ticket or better, a pull request with your proposed change so it can be discussed with the maintainers.

#6 Updated by Jason Smith over 5 years ago

  • Related to Bug #14719: Allow TLSv1 for compatibility with some clients. added

Also available in: Atom PDF