Edit Feb 23, 2015: removed indication of TLSv1.1 or TLSv1.2 since Java 6 does not support them. More about it here.
Hello all The recently disclosed potential attack on SSLv3, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption) shows how dangerous it is to have legacy, insecure versions of a protocol enabled. With this attack it is possible for an attacker with control over the network between client and server to force the communication between client and server to be done with SSLv3. This will then allow the attacker to make use of known vulnerabilities of the SSLv3 protocol to compromise the confidentiality of the communication allowing him to obtain sensitive information like session cookies, passwords, credit card data.
Due to the strong requirement that the attacker has control over the network, we believe this vulnerability to be low risk, but with a high impact.
General recommendation for this vulnerability is to disable use of SSLv3 altogether whenever possible.
In this post we will show you how you can disable SSLv3 from OutSystems Platform servers and thus be protected from this vector of attack.
For Windows Server using IIS as the application server:
Open regedit.exe
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
Add a key named SSL 3.0
Under that key, add two keys named Client and Server
Under the Client key, add a DWORD Value with name DisabledByDefault and set its value to 1
Under the Server key, add a DWORD Value with name Enabled and ensure its value is set to 0
Repeat step 3, 4, 6 for key SSL 2.0: ensure the DWORD Enabled is set to 0.
Restart the server
For detailed instructions with screenshots, please refer to this post.
For Linux systems running JBoss 5.X:
Edit the $JBOSS_HOME/server/outsystems/deploy/jbossweb.sar/server.xml file
Find the HTTPS connector element (the one on port 8443 with sslEnabled="true")
Change the value of the sslProtocol attribute from "TLS" to "TLSv1". Currently only TLSv1 can be used.
Edit the $JBOSS_HOME/bin/run.conf file
Add a new JAVA_OPTS line with JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1"
Restart jboss using service jboss-outsystems restart
For Linux systems running JBoss EAP 6.X or JBoss AS 7.1:
Edit the $JBOSS_HOME/standalone/configuration/standalone-outsystems.xml file
Find all HTTPS connectors ( attribute secure="true" and sub element <ssl> present )
Add a protocol="TLSv1" attribute at the end
Edit the $JBOSS_HOME/bin/standalone-outsystems.conf file
Restart jboss with service jboss-outsystems restart
For additional information regarding this configuration in JBoss, please refer to this article.
For Linux systems running Weblogic:
Open the WebLogic administration console http://<server>:7001/console (replace <server> with your server URL)
Go to Environment > Servers > select your server
On the tab “Server Start”
Lock and Edit
Add -Dweblogic.security.SSL.protocolVersion=TLS1 -Dhttps.protocols=TLSv1 to the Arguments edit box
Save and Activate Changes
Restart your server using service weblogic-outsystems restart on the command line
For additional information regarding this configuration in Weblogic, please refer to this article.
Best regards,
Ricardo Silva
Ricardo Silva wrote:
Hello allThe recently disclosed potential attack on SSLv3, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption) shows how dangerous it is to have legacy, insecure versions of a protocol enabled.With this attack it is possible for an attacker with control over the network between client and server to force the communication between client and server to be done with SSLv3. This will then allow the attacker to make use of known vulnerabilities of the SSLv3 protocol to compromise the confidentiality of the communication allowing him to obtain sensitive information like session cookies, passwords, credit card data.
DO you have anything on support for TLS 1.1 and above?