Disabling SSLv3 and SSLv2 for OpenShift Enterprise
Environment
- OpenShift Enterprise 2
Issue
- Disabling SSLv3 and SSLv2 for OpenShift Enterprise
- Resolving POODLE: SSLv3 vulnerability (CVE-2014-3566) for OpenShift Enterprise
Resolution
Disable SSLv3 by modifying the SSLProtocol directive anywhere it is present in the httpd server configuration. It can be disabled simply by adding -SSLv3
to the SSLProtocol directive, e.g.:
SSLProtocol All -SSLv2 -SSLv3
For OpenShift Enterprise 2.1, the relevant configuration file locations are:
-
On broker hosts,
/etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf
(provided by the openshift-origin-broker RPM) -
On node hosts,
/etc/httpd/conf.d/000001_openshift_origin_node.conf
(provided by the rubygem-openshift-origin-frontend-apache-mod-rewrite RPM) or/etc/httpd/conf.d/000001_openshift_origin_frontend_vhost.conf
(provided by the rubygem-openshift-origin-frontend-apache-vhost RPM).
For earlier versions of OpenShift Enterprise, as well as current versions with a customized frontend vhost template, the SSLProtocol directive may be specified in the vhost template (/var/lib/openshift/.httpd.d/frontend-*-https-template.erb
provided by one of the packages in #2). In this case, individual vhost configurations under /var/lib/openshift/.httpd.d/
likely also specify SSLProtocol and need updating. Search for them with:
grep -rIi SSLProtocol /var/lib/openshift/.httpd.d/
After updating all instances of this directive on a host, restart httpd for the changes to take effect.
service httpd restart
Root Cause
SSLv3 is inherently less secure than its successor Transport Socket Layer (TLS). It is considered a better security practice to disable any variation of SSL and adopt only TLS.
A Note about POODLE (CVE-2014-3566)
A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
Diagnostic Steps
For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.