On 10/15/14, 10:17 AM, Jan Lieskovsky wrote: > Hello folks, > > in relation to the recent SSLv3 CVE-2014-3566 / "POODLE" flaw: > [1] > http://fedoramagazine.org/what-you-need-to-know-about-the-sslv3-poodle-flaw-cve-2014-3566/ > > got wondering if there's anything SSG should do to react against it. > Possibly to add / update system service rules checking for system SSL > version that it is higher than SSLv3? [1] suggest httpd would be > one candidate, but I am sure there would be more of them. Should this be > investigated further & particular rules updated? > > Thanks && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > P.S.: For those possibly wondering the proposal is not to add rule checking > particular package version is >= than the updated version disabling > use of SSLv3 (IOW not to perform the CVE check itself). But rather > check configuration of possibly affected system services, if they > aren't using SSLv3 via their configuration files (since setting > default SSL version higher than SSLv3 is one thing, but actually > checking if that version isn't enabled again [by administrator] an > another one).
Already reflect using TLS for SMTP: http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#postfix_server_mail_relay_require_tls_for_smtp_auth And using TLS for LDAP: http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#ldap_client_start_tls http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#ldap_client_tls_cacertpath And using TLS for SSL: http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#network_ssl And then specifically calls out using FIPS 140-2 certified ciphers, which means the system forces protocols of TLSv1.1 and TLSv1.0 and disables all other ciphers but the FIPS ones: http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#sshd_use_approved_ciphers Big RHT has published some guidance for services such as Tomcat, Firefox/Chrome, and httpd here: https://access.redhat.com/articles/1232123 Pulling in the guidance for Apache makes sense... something like > > set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf: > > *D**isable everything except TLSv1.x* > > On RHEL 7 or RHEL 6.6 and later: > > | SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2|
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
