FAQ
The following updates address POODLE on CentOS:


CentOS-5:
http://lists.centos.org/pipermail/centos-announce/2014-October/020696.html


CentOS-6.5:
http://lists.centos.org/pipermail/centos-announce/2014-October/020697.html


CentOS-7:
http://lists.centos.org/pipermail/centos-announce/2014-October/020695.html


Please note that the CentOS-6.5 updates are built from:


openssl-1.0.1e-30.el6_5.2.src.rpm


This is the version that Red Hat released for RHEL 6.6 as openssl-1.0.1e-30.el6_6.2.src.rpm. Notice that the dist tag is different for our release.


The reason is that we are currently working on CentOS-6.6 and it will not be released for several more days. Rather than wait on the POODLE issue, the CentOS team decided to build a version of this update for 6.5:
(the current release, built from openssl-1.0.1e-30.el6_5.2.src.rpm) as well a version based on openssl-1.0.1e-30.el6_6.2.src.rpm as a zeroday update for CentOS-6.6 when it is released.


You must also take action to disable SSLv3 as well as installing these update to mitigate POODLE on CentOS-5, CentOS-6 and/or CentOS-7, please see this link for details:


http://wiki.centos.org/Security/POODLE


Thanks,
Johnny Hughes




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20141016/466453ce/attachment.sig>

Search Discussions

  • James B. Byrne at Oct 16, 2014 at 11:41 pm
    According to the centos wiki:


    Validating Changes


    You can use Qualys SSL Labs to verify that your web server is no longer
    vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You
    might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and
    CentOS-7, while using TLSv1 on CentOS-5.




    However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and
    attems to use SSLProtocols greater than v1 yield this error:




    Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
    SSLProtocol: Illegal protocol 'TLSv1.1'




    I presume that the wiki is in error but I would like confirmation of that or
    instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5.


    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3
  • Tharun Kumar Allu at Oct 17, 2014 at 4:32 am
    Modifying apache configuration to the following should take care of it.
    The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on.


    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
    EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"






    On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne wrote:

    According to the centos wiki:

    Validating Changes

    You can use Qualys SSL Labs to verify that your web server is no longer
    vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You
    might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and
    CentOS-7, while using TLSv1 on CentOS-5.


    However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and
    attems to use SSLProtocols greater than v1 yield this error:


    Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
    SSLProtocol: Illegal protocol 'TLSv1.1'


    I presume that the wiki is in error but I would like confirmation of that
    or
    instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5.

    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos





    --
    Tharun Kumar Allu
    ==============
  • Kahlil Hodgson at Oct 17, 2014 at 4:56 am
    The following nmap invocation may also be helpful with testing:


    nmap --script ssl-enum-ciphers -p 443 hostname


    Kahlil (Kal) Hodgson GPG: C9A02289
    Head of Technology (m) +61 (0) 4 2573 0382
    DealMax Pty Ltd


    Suite 1416
    401 Docklands Drive
    Docklands VIC 3008 Australia


    "All parts should go together without forcing. You must remember that
    the parts you are reassembling were disassembled by you. Therefore,
    if you can't get them together again, there must be a reason. By all
    means, do not use a hammer." -- IBM maintenance manual, 1925




    On Fri, Oct 17, 2014 at 3:32 PM, Tharun Kumar Allu
    wrote:
    Modifying apache configuration to the following should take care of it.
    The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on.

    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
    EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
    EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"


    On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne wrote:

    According to the centos wiki:

    Validating Changes

    You can use Qualys SSL Labs to verify that your web server is no longer
    vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You
    might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and
    CentOS-7, while using TLSv1 on CentOS-5.


    However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and
    attems to use SSLProtocols greater than v1 yield this error:


    Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
    SSLProtocol: Illegal protocol 'TLSv1.1'


    I presume that the wiki is in error but I would like confirmation of that
    or
    instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5.

    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos


    --
    Tharun Kumar Allu
    ==============
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Leon Fauster at Oct 17, 2014 at 9:04 am

    Am 16.10.2014 um 23:11 schrieb Johnny Hughes <johnny@centos.org>:
    Please note that the CentOS-6.5 updates are built from:

    openssl-1.0.1e-30.el6_5.2.src.rpm

    This is the version that Red Hat released for RHEL 6.6 as openssl-1.0.1e-30.el6_6.2.src.rpm.
    Notice that the dist tag is different for our release. The reason is that we are currently
    working on CentOS-6.6 and it will not be released for several more days. Rather than wait
    on the POODLE issue, the CentOS team decided to build a version of this update for 6.5:

    Thank you!


    --
    LF

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedOct 16, '14 at 9:11p
activeOct 17, '14 at 9:04a
posts5
users5
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase