On Tue, Oct 28, 2014 at 6:58 PM, Mikhail T. <mi+t...@aldan.algebra.com> wrote:
> Hello! > > After disabling SSLv3: > > SSLOptions ALL -SSLv3 > > we noticed, that curl itself and libcurl-using programs (such as git) > stopped working on some of the (older) systems -- such as RHEL5 -- when > invoked against the https-URLs pointing at the reconfigured servers. > > Invoking curl with the -1 option (a.k.a. --tlsv1) worked, but without the > option curl kept failing -- complaining about SSL protocol error. > Unfortunately, there is no way to propagate that option through git to the > underlying libcurl... > > On newer systems (RHEL6, FreeBSD9), things are fine, but we have a > substantial number of those old ones and need a solution... > > I was able to find this question: > > > http://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache/ > > and a patch linked to from one of the answers: > > http://pastebin.com/Nvat7xTy > > I can confirm, that the patch "works" -- curl and git started working > after I restarted the rebuilt httpd. And running sslscan against the > patched server continues to list the "bad" SSLv3 as disabled. > > Could somebody, perhaps, begin reviewing it and/or comment even before it > is formally filed with Bugzilla? I searched there, but could not find > anything relevant... Thanks! Yours, > > -mi > > I was working with someone on a similar problem but they disappeared for now. I had come to a similar conclusion for another of their symptoms, but didn't know enough openssl to understand how it affected the v2open. They had a year-old httpd2.4 from EPEL / RH software collections but it's built against an old openssl, so it isn't aware of tls1.1 and tls1.2 and that same block of code ends up locking you into exactly TLSv1.0 once you remove sslv2 and sslv3. If you leave sslv2, it gets disabled below that block and none of the equality checks match. They didn't get to test that for me yet. Ironically my colleague was actually reporting the issue with the v2open/v2hello and they noticed the tls1.1/tls1.2 disappearing issue as trivia. But I was not even sure the v2open was really the culprit. There is an older/pre-poodle PR out there somewhere where the symptom seems to be the v2hello/v2open disappearing with -SSLv3. Kaspar, does the v2open require sslv2method? What do you think of the patch above? -- Eric Covener cove...@gmail.com
