Resolution

Disable SSLv3 by modifying the SSLProtocol directive anywhere it is present in the httpd server configuration. It can be disabled simply by adding -SSLv3 to the SSLProtocol directive, e.g.:

SSLProtocol All -SSLv2 -SSLv3

For OpenShift Enterprise 2.1, the relevant configuration file locations are:

1. On broker hosts, /etc/httpd/conf.d/000002_openshift_origin_broker_proxy.conf (provided by the openshift-origin-broker RPM)

2. On node hosts, /etc/httpd/conf.d/000001_openshift_origin_node.conf (provided by the rubygem-openshift-origin-frontend-apache-mod-rewrite RPM) or /etc/httpd/conf.d/000001_openshift_origin_frontend_vhost.conf (provided by the rubygem-openshift-origin-frontend-apache-vhost RPM).

For earlier versions of OpenShift Enterprise, as well as current versions with a customized frontend vhost template, the SSLProtocol directive may be specified in the vhost template (/var/lib/openshift/.httpd.d/frontend-*-https-template.erb provided by one of the packages in #2). In this case, individual vhost configurations under /var/lib/openshift/.httpd.d/ likely also specify SSLProtocol and need updating. Search for them with:

grep -rIi SSLProtocol /var/lib/openshift/.httpd.d/

After updating all instances of this directive on a host, restart httpd for the changes to take effect.

service httpd restart

Note that users may experience problems with using the rhc client after this change, which can easily be worked around.