You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by HRC Boston <hr...@gmail.com> on 2014/11/02 21:12:22 UTC
Ofbiz 09-04 piddle bleed fix
Hi there--
I am in process of trying to disable sslv3 on our version of of
ofbiz 09-04, which uses tomcat 5.5.
This is to eliminate the security vulnerability from poodle bleed.
http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
We have tried updating the of ofbiz-containers.xml file like below, but it
did not disable sslv3. Poodle is still there.
I have also seen fixes that update server.xml with something similar.
<property name="sslProtocol" value="TLS"/>
<property name="sslEnabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>
Has anyone else had luck fixing the poodle issue on Apache ofbiz version
09-04?
Thanks!
The poodle bleed fixer :)
Re: Ofbiz 09-04 piddle bleed fix
Posted by HRC Boston <hr...@gmail.com>.
Hi Jacques--
Thank you for your help!
We are in a bit of a pickle with the poodle bleed because we will loose our
trustwave certification if we don't disable sslv3 very soon… so I hope you
don't mind me contacting you.
I need to make a correction we are using tomcat6 and java6 with of biz
09-04…
When I compile with java7, our build fails so we don't have time to upgrade
our server or java most likely…
Per these apache tickets:
https://issues.apache.org/jira/browse/HADOOP-11243?jql=text%20~%20%22sslv3%22
https://issues.apache.org/jira/browse/HDFS-7274?jql=text%20~%20%22sslv3%22
So far I have edited all server.xml files to include:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1"
keystoreFile="${ofbizHome}/framework/base/config/ofbizssl.jks"
keystorePass="changeit"/>
All ofbiz-container.xml,test-container.xml files to include:
<property name="sslProtocol" value="TLS"/>
<property name="sslEnabledProtocols" value="TLSv1"/>
<property name="ciphers" value="TLS_RSA_WITH_AES_128_CBC_SHA"/>
And I have edited the SSLUtil.java file like below:
+ private final static String[] enabledProtocols = {"TLSv1"};
private static boolean loadedProps = false;
@@ -148,8 +149,9 @@
KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias);
TrustManager[] tm = SSLUtil.getTrustManagers();
- SSLContext context = SSLContext.getInstance("SSL");
+ SSLContext context = SSLContext.getInstance("TLS");
context.init(km, tm, new SecureRandom());
+ context.getDefaultSSLParameters().setProtocols(enabledProtocols);
return context.getSocketFactory();
}
@@ -162,8 +164,9 @@
tm = SSLUtil.getTrustManagers();
}
- SSLContext context = SSLContext.getInstance("SSL");
+ SSLContext context = SSLContext.getInstance("TLS");
context.init(km, tm, new SecureRandom());
+ context.getDefaultSSLParameters().setProtocols(enabledProtocols);
return context.getSocketFactory();
}
@@ -179,8 +182,9 @@
TrustManager[] tm = SSLUtil.getTrustManagers();
KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias);
- SSLContext context = SSLContext.getInstance("SSL");
+ SSLContext context = SSLContext.getInstance("TLS");
context.init(km, tm, new SecureRandom());
+ context.getDefaultSSLParameters().setProtocols(enabledProtocols);
return context.getServerSocketFactory();
}
@@ -188,8 +192,9 @@
TrustManager[] tm = SSLUtil.getTrustManagers();
KeyManager[] km = SSLUtil.getKeyManagers(alias);
- SSLContext context = SSLContext.getInstance("SSL");
+ SSLContext context = SSLContext.getInstance("TLS");
context.init(km, tm, new SecureRandom());
+ context.getDefaultSSLParameters().setProtocols(enabledProtocols);
return context.getServerSocketFactory();
}
@@ -241,10 +246,16 @@
public static synchronized void loadJsseProperties(boolean debug) {
if (!loadedProps) {
- String protocol =
UtilProperties.getPropertyValue("jsse.properties",
"java.protocol.handler.pkgs", "NONE");
+ //https.protocols
+ System.setProperty("https.protocols","TLSv1");
+
+ String httpsProtocols =
UtilProperties.getPropertyValue("jsse.properties", "https.protocols",
"NONE");
+ Debug.logWarning("httpsPrototocols\n\n\n\n"+httpsProtocols,
module);
+ String protocol =
UtilProperties.getPropertyValue("jsse.properties",
"java.protocol.handler.pkgs", "NONE");
When I run this command after rebooting SSLV3 is still there:
openssl s_client -connect localhost:portnumberhere -ssl3
SSL handshake has read 2252 bytes and written 306 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES128-SHA
Session-ID:
54581E11E7D76F831163F623929471D93BF7C9504864A7371F37D9E5800A85CE
Session-ID-ctx:
Master-Key:
9E558673AC149A603F16DCEA8AB637CF2DB5EDD9582A7191AD519574906D569E2EBCCB5DF1D96957DD7115F134511EBB
Key-Arg : None
Start Time: 1415061009
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
ANY IDEAS OTHER IDEAS ON HOW TO DISABLE SSLV3??
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Re-Ofbiz-09-04-piddle-bleed-fix-tp4657772p4657820.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Ofbiz 09-04 piddle bleed fix
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks Poodle fixer :)
The vulnerability is now fixed in OFBiz trunk and branches releases also https://issues.apache.org/jira/browse/OFBIZ-5848
Tested using nmap from Windows https://www.vanstechelman.eu/content/scan-for-poodle-using-nmap-from-a-windows-machine
Jacques
Le 04/11/2014 19:05, HRC Boston a écrit :
> we had success with this when developing locally:
> <property name="sslProtocol" value="TLSv1"/>
> <property name="protocols" value="TLSv1"/>
>
> the reason is that it is undoucmented to use protocols instead of
> sslEnabledProtocols
>
> see https://blogs.atlassian.com/2014/10/ssl-poodle/
> http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-to-Tomcat-6-0-server-with-https
>
> we get this when trying to connect with ssl3 locally
>
> openssl s_client -connect localhost:portnumberhere -ssl3
> CONNECTED(00000003)
> 6990:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s3_pkt.c:290:
>
>
>
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/Re-Ofbiz-09-04-piddle-bleed-fix-tp4657772p4657829.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: Ofbiz 09-04 piddle bleed fix
Posted by HRC Boston <hr...@gmail.com>.
we had success with this when developing locally:
<property name="sslProtocol" value="TLSv1"/>
<property name="protocols" value="TLSv1"/>
the reason is that it is undoucmented to use protocols instead of
sslEnabledProtocols
see https://blogs.atlassian.com/2014/10/ssl-poodle/
http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-to-Tomcat-6-0-server-with-https
we get this when trying to connect with ssl3 locally
openssl s_client -connect localhost:portnumberhere -ssl3
CONNECTED(00000003)
6990:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s3_pkt.c:290:
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Re-Ofbiz-09-04-piddle-bleed-fix-tp4657772p4657829.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Ofbiz 09-04 piddle bleed fix
Posted by HRC Boston <hr...@gmail.com>.
right now we think we might have more luck with a java fix to SSLUTIL... in
the org framework folder
something very much like this...
https://issues.apache.org/jira/browse/HADOOP-11243?jql=text%20~%20%22sslv3%22
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Re-Ofbiz-09-04-piddle-bleed-fix-tp4657772p4657792.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Ofbiz 09-04 piddle bleed fix
Posted by HRC Boston <hr...@gmail.com>.
I have started following these jira tickets here:
https://issues.apache.org/jira/browse/HADOOP-11243?jql=text%20~%20%22sslv3%22
we just tried this fix... no luck.
because our servers don't support 1.1 or 1.2
<property name="sslProtocol" value="TLS"/>
<property name="sslEnabledProtocols" value="TLSv1"/>
had anyone had luck fixing this in 09-04?
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Re-Ofbiz-09-04-piddle-bleed-fix-tp4657772p4657786.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Ofbiz 09-04 piddle bleed fix
Posted by Ravi HRC Boston <hr...@gmail.com>.
Hi Jacques--
Thanks for your reply.
We are using java 1.6. I am a developer working with our ops team to fix
poodle.
We are hoping for a simple fix for this issue as upgrading the software
involves more testing then we are able to cover right now.
A lot of the fixes we have seen suggest that tomcat server.xml file is the
place to fix poodle. We tried the ofbiz-containers.xml file as noted because
that is where our https connector is set up… but no luck there… maybe we
need to add a cipher to server.xml? as in the example at the bottom of this
page:
http://blog.ricardoamaro.com/content/poodle-sslv3-vulnerability-fix
Your help is very appreciated.
Has anybody had any luck with this fix?
Update /etc/tomcat7/server.xml file with "sslProtocol" line to:
sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
sslEnabledProtocols="TLSv1"
>From what I can tell, our server actually doesn't support tlsv1.2 or
tlsv1.1… only tls1. Perhaps we should try a version with only tlsv1 enabled.
--
View this message in context: http://ofbiz.135035.n4.nabble.com/Re-Ofbiz-09-04-piddle-bleed-fix-tp4657772p4657777.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Ofbiz 09-04 piddle bleed fix
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 02/11/2014 21:12, HRC Boston a écrit :
> Hi there--
>
> I am in process of trying to disable sslv3 on our version of of
> ofbiz 09-04, which uses tomcat 5.5.
>
> This is to eliminate the security vulnerability from poodle bleed.
> http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
>
> We have tried updating the of ofbiz-containers.xml file like below, but it
> did not disable sslv3. Poodle is still there.
>
> I have also seen fixes that update server.xml with something similar.
>
> <property name="sslProtocol" value="TLS"/>
> <property name="sslEnabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>
>
> Has anyone else had luck fixing the poodle issue on Apache ofbiz version
> 09-04?
Did you try to update the embedded Tomcat version? Maybe you need to use Java 7 also...
http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat
Jacques
>
> Thanks!
>
> The poodle bleed fixer :)
>