giacomo
November 8, 2016, 8:49am
4
rolf:
SSL3 is not disabled (POODLE-attack, 2014!)
SSLv3 is disabled in httpd-admin instance, but not in httpd./etc/httpd/conf.d/ssl.conf configuration file.
rolf:
the certificate-chain is not complete
Probably you hit this bug (check for the workaround inside the issue itself):
opened 12:51PM - 18 Oct 16 UTC
closed 01:15PM - 18 Oct 16 UTC
bug
verified
When setting a Let's Encrypt (LE) certificate as server default, httpd and httpd… -admin daemons do not use the chain file.
This can prevent a correct behavior in certain browsers.
_Steps to reproduce_
- Configure a server with all LE requirements
- Request a new LE certificate and set it as default
- Verify the certificate using an online tool ( https://sslanalyzer.comodoca.com, https://www.sslshopper.com/ssl-checker.html)
_Workaround_
Manually set the chain file:
```
config setprop pki ChainFile /etc/letsencrypt/live/`hostname`/chain.pem
signal-event certificate-update
```
Reference: https://letsencrypt.org/certificates/
rolf:
two more vulnerabilities I don’t know…
Maybe it’s related to not very secure cipher suits.
config setprop httpd SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
signal-event nethserver-httpd-update
Said this, we choose to stay compliant with upstream.
5 Likes