Dariusz on Software

Methods and Tools

About This Site

Software development stuff

Archive

Entries from October 2014.

Mon, 20 Oct 2014 21:26:38 +0000

430Recently new vulnerability ("poodle") has been discovered in SSLv3 protocol. "man in the middle" attack could be performed using protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 then exploit the "poodle" vulnerability.

In order to remove the threat from our servers we have to drop SSLv3 from negotiation list. Secured server should respond as follows: $ echo | openssl s_client -connect 192.168.1.100:80 -ssl3 2>&1 | grep Secure Secure Renegotiation IS NOT supported $ echo | openssl s_client -connect 192.168.1.100:80 -tls1 2>&1 | grep Secure Secure Renegotiation IS supported We use openssl command to open HTTPS connection and check if requested protocol could be negotiated or not.

And the fix itself (for JBoss/Tomcat service): you have to locate Connector tag responsilble for HTTPS connection and:

  • remove any SSL_* from ciphers attribute
  • limit sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

Example: <Connector port="80" protocol="HTTP/1.1" SSLEnabled="true" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" maxThreads="100" scheme="https" secure="true" minSpareThreads="25" maxSpareThreads="50" keystoreFile="${jboss.server.home.dir}/conf/tm.keystore" keystorePass="MyKeyStore1" clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2" /> It will effectively block any SSLv3 connections as visible by "openssl s_client" test above.

Tags: java, security, ssl.

Tags

Created by Chronicle v3.5