Disabling SSLv3 and SSLv2 for OpenShift Enterprise

Solution In Progress - Updated -

Environment

  • OpenShift Enterprise 2

Issue

  • Disabling SSLv3 and SSLv2 for OpenShift Enterprise
  • Resolving POODLE: SSLv3 vulnerability (CVE-2014-3566) for OpenShift Enterprise

Resolution

Disable SSLv3 by modifying the SSLProtocol directive anywhere it is present in the httpd server configuration. It can be disabled simply by adding -SSLv3 to the SSLProtocol directive, e.g.:

SSLProtocol All -SSLv2 -SSLv3

For OpenShift Enterprise 2.1, the relevant configuration file locations are:

  1. On broker hosts, /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf (provided by the openshift-origin-broker RPM)

  2. On node hosts, /etc/httpd/conf.d/000001_openshift_origin_node.conf (provided by the rubygem-openshift-origin-frontend-apache-mod-rewrite RPM) or /etc/httpd/conf.d/000001_openshift_origin_frontend_vhost.conf (provided by the rubygem-openshift-origin-frontend-apache-vhost RPM).

For earlier versions of OpenShift Enterprise, as well as current versions with a customized frontend vhost template, the SSLProtocol directive may be specified in the vhost template (/var/lib/openshift/.httpd.d/frontend-*-https-template.erb provided by one of the packages in #2). In this case, individual vhost configurations under /var/lib/openshift/.httpd.d/ likely also specify SSLProtocol and need updating. Search for them with:

grep -rIi SSLProtocol /var/lib/openshift/.httpd.d/

After updating all instances of this directive on a host, restart httpd for the changes to take effect.

service httpd restart

Note that users may experience problems with using the rhc client after this change, which can easily be worked around.

Root Cause

SSLv3 is inherently less secure than its successor Transport Socket Layer (TLS). It is considered a better security practice to disable any variation of SSL and adopt only TLS.

A Note about POODLE (CVE-2014-3566)
A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Diagnostic Steps

For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.