SSLv3 remains enabled on Ruby 1.8.7
During testing of Foreman 1.11 I noticed the changes made in #12572 did not effectively disable SSLv3 and caused disparate SSL/TLS protocols to be enabled with Ruby 1.8.7 (EL6) and later version of Ruby (EL7 and other systems).
#4 Updated by Jason Smith over 5 years ago
After updating and testing foreman 1.11, our custom php scripts that talk to the foreman proxy through the REST API no longer work. I even tried applying the patch mentioned in this bug, but it still doesn't work. After some debugging and looking at the php documentation, the problem is that TLSv1 would still not be allowed in 1.11.1. According to some user comments in the php documentation:
Setting php to use TLSv1 or above will only work if you have curl 7.34 or newer. Note, RHEL6 comes with curl 7.19 and RHEL7 comes with curl 7.29. To maintain compatibility with still supported RHEL versions and allow custom 3rd party scripts written in php to connect to the foreman-proxy REST API, this line also needs to be removed from lib/launcher.rb:
ssl_options |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1)
If you are uncomfortable allowing this, then a config setting that could specify the allowed ssl protocols, like apache has, would be useful for those who require this level of compatibility.