Recently new vulnerability ("poodle") has been discovered in SSLv3 protocol. "man in the middle" attack could be performed using protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 then exploit the "poodle" vulnerability.
In order to remove the threat from our servers we have to drop SSLv3 from negotiation list. Secured server should respond as follows:
$ echo | openssl s_client -connect 192.168.1.100:80 -ssl3 2>&1 | grep Secure
Secure Renegotiation IS NOT supported
$ echo | openssl s_client -connect 192.168.1.100:80 -tls1 2>&1 | grep Secure
Secure Renegotiation IS supported
We use openssl command to open HTTPS connection and check if requested protocol could be negotiated or not.
And the fix itself (for JBoss/Tomcat service): you have to locate Connector tag responsilble for HTTPS connection and:
- remove any SSL_* from ciphers attribute
- limit sslProtocols="TLSv1, TLSv1.1, TLSv1.2"
Example:
<Connector port="80" protocol="HTTP/1.1" SSLEnabled="true" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
maxThreads="100" scheme="https" secure="true" minSpareThreads="25" maxSpareThreads="50"
keystoreFile="${jboss.server.home.dir}/conf/tm.keystore" keystorePass="MyKeyStore1"
clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2" />
It will effectively block any SSLv3 connections as visible by "openssl s_client" test above.