Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10391

puppetlabs-apache : ssl_protocol includes SSLv2 and SSLv3 on all platforms (regression?)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: apache
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 5.3.0
      Puppet Version: 5.5.17 (but affects all?)
      OS Name/Version: CentOS 7 (but affects all other than RHEL8?)

      The ssl_protocol default setting has been changed to permit all protocols, rather than excluding SSLv2 and SSLv3 as it did previously.

      Desired Behavior: Exclude SSLv2 and SSLv3 from permitted protocols

      Actual Behavior:

      FM-8721 changed the ssl_protocol default to ['all'] instead of ['all', '-SSLv2', '-SSLv3'].

      The fix for RedHat 8 should set this only for this platform (plus other suitable platforms), via the params class.  All other supported platforms should not have this changed to include SSLv2 and SSLv3.

      (Yes, this can be set explicitly, but the default was desirable on most platforms and this is a regression from what I can see)

       

        Many thanks!

        Attachments

          Activity

            People

            Assignee:
            sheena Sheena Tharakanparampil
            Reporter:
            legooolas David Gardner
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support