Bug 3572

Summary: HTTPS on bugzilla.rpmfusion.org is known to be vulnerable by POODLE attack: outdated SSL configuration
Product: Infrastructure Reporter: Christian Stadelmann <fedora>
Component: WebsitesAssignee: Matthias Saou <matthias>
Status: RESOLVED FIXED    
Severity: major CC: kwizart, lxtnow, matthias
Priority: P5    
Version: NA   
Hardware: All   
OS: GNU/Linux   
namespace:

Description Christian Stadelmann 2015-03-25 11:30:21 CET 
According to https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.rpmfusion.org the SSL setup on bugzilla.rpmfusion.org is quite outdated. The most urgent problem is that POODLE attack is not prevented. Furthermore SSL3 is still provided but no TLS 1.1 or 1.2. Only weak DH-ciphers are provided but none of TLS 1.2 (like ECDHE, AES-GCM, …)
Comment 1 Emmanuel Seyman 2015-03-25 11:37:38 CET 
This isn't a Bugzilla bug per se but a bug regarding the SSL configuration of the server.
Comment 2 Christian Stadelmann 2015-09-10 17:57:07 CEST 
Oh, and by the way you can now get SSL certificates for free, e.g. from https://startssl.com/ , https://www.wosign.com/english/ and (soon to come) https://letsencrypt.org/ , so you can get your certificate signed.
Comment 3 Christian Stadelmann 2016-06-21 17:59:13 CEST 
*bump* due to massive importance.
Comment 4 Nicolas Chauvet 2016-06-21 18:41:18 CEST 
yes, the plan is to move to letsencrypt with new bugzilla 4.4 on the new infra.
Comment 5 Christian Stadelmann 2016-09-13 18:24:48 CEST 
Thank you very much!