Hi,
I’ve installed NS7RC1. The webserver is secured with a let’s encrypt certificate.
When I check my webserver at https://www.ssllabs.com/ssltest/analyze.html I learn that:
I haven’t changed anything to the apache, so I recon this is vulnerable ‘out-of-the-box’.
Can someone confirm these issues? Are they to be marked as bug?
NS7RC1
strange cause the right Configuration is in the SSL Template written
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
I can’t check right now, but I’m sure the resulting config-file had “SSLProtocol All -SSLv2”, without -SSLv3 in it. (yesterday added SSLv3 manually).
Maybe the installation of a let’s encrypt certificate messes the template up?
(Can you reproduce the SSL-check on the website I mentioned?)
Tomorrow I can build a VM to reproduce myself.
SSLv3 is disabled in httpd-admin instance, but not in httpd.
We use SSL configuration from upstream, you can freely change the /etc/httpd/conf.d/ssl.conf configuration file.
Probably you hit this bug (check for the workaround inside the issue itself):
Maybe it’s related to not very secure cipher suits.
You can change it using:
config setprop httpd SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
signal-event nethserver-httpd-update
Said this, we choose to stay compliant with upstream.
Do you think we should ship a more secure configuration of apache?
thx for your answer, I’ll try solutions tonight / tomorrow.
Then I’ll comment on your last remark / question.
What I’ve done:
Rechecked, and my grade was upped from C to B 
What’s left:
I’m not able to interpret that score, maybe others are?
As for your question: let me ask another question: Why shouldn’t NS be shipped with a more secure apache-configuration…? SSLv3 is more then a year considered obsolete AFAIK. Why disable it on an internal website, and not on an internetfacing one? 
httpd-admin on port 980/https is publicly available from the internet.
The main httpd instance on port 443/https has the upstream default. It is not secured with the state-of-the-art settings, I think because the default config file does not change during the release life cycle. The CentOS sysadmin knows it and fixes httpd configuration properly.
In NethServer our sysadmin is the template system. I think in this specific case the follow upstream default rule does not fit properly. Let’s fix the default value from our templates!
Legacy clients? Backward compatibility?
ns7 is a new major release. I think they are not so important.
Before doing this, I’d wait to see the ssl.conf shipped with RHEL 7.3. For the ns7 rc2 release I’d go with the following adjustments:
nethserver-httpd TCP port 443
Set the prop httpd/SSLCipherSuite to the upstream default, like ssl.conf. The current value comes from ns6, issue #3246. The effect is we have distinct configurations on nethserver-virtualhosts sites and on the default virtual host defined by ssl.conf. This is misleading.
nethserver-httpd-admin TCP port 980
Here we can assume the admin has a modern browser, and performance is not the main goal. Set a strong configuration (@giacomo already tested this from https://cipherli.st/) in the template 30ssl.
Just updated httpd from CentOS-CR repo:
---> Package mod_ssl.x86_64 1:2.4.6-40.el7.centos.4 will be updated
---> Package mod_ssl.x86_64 1:2.4.6-45.el7.centos will be an update
The ssl.conf was unchanged!