How to disable SSLv3 on OutSystems Servers

How to disable SSLv3 on OutSystems Servers

  

Edit Feb 23, 2015: removed indication of TLSv1.1 or TLSv1.2 since Java 6 does not support them. More about it here.



Hello all

The recently disclosed potential attack on SSLv3, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption) shows how dangerous it is to have legacy, insecure versions of a protocol enabled.

With this attack it is possible for an attacker with control over the network between client and server to force the communication between client and server to be done with SSLv3. This will then allow the attacker to make use of known vulnerabilities of the SSLv3 protocol to compromise the confidentiality of the communication allowing him to obtain sensitive information like session cookies, passwords, credit card data.


Due to the strong requirement that the attacker has control over the network, we believe this vulnerability to be low risk, but with a high impact.


General recommendation for this vulnerability is to disable use of SSLv3 altogether whenever possible.


In this post we will show you how you can disable SSLv3 from OutSystems Platform servers and thus be protected from this vector of attack.


For Windows Server using IIS as the application server:

  1. Open regedit.exe

  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. Add a key named SSL 3.0

  4. Under that key, add two keys named Client and Server

  5. Under the Client key, add a DWORD Value with name DisabledByDefault and set its value to 1

  6. Under the Server key, add a DWORD Value with name Enabled and ensure its value is set to 0

  7. Repeat step 3, 4, 6 for key SSL 2.0: ensure the DWORD Enabled is set to 0.

  8. Restart the server


For detailed instructions with screenshots, please refer to this post.



For Linux systems running JBoss 5.X:

  1. Edit the $JBOSS_HOME/server/outsystems/deploy/jbossweb.sar/server.xml file

  2. Find the HTTPS connector element (the one on port 8443 with sslEnabled="true")

  3. Change the value of the sslProtocol attribute from "TLS" to "TLSv1". Currently only TLSv1 can be used.

  4. Edit the $JBOSS_HOME/bin/run.conf file

  5. Add a new JAVA_OPTS line with JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1"

  6. Restart jboss using service jboss-outsystems restart



For Linux systems running JBoss EAP 6.X or JBoss AS 7.1:

  1. Edit the $JBOSS_HOME/standalone/configuration/standalone-outsystems.xml file

  2. Find all HTTPS connectors ( attribute secure="true" and sub element <ssl> present )

  3. Add a protocol="TLSv1" attribute at the end

  4. Edit the $JBOSS_HOME/bin/standalone-outsystems.conf file

  5. Add a new JAVA_OPTS line with JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1"

  6. Restart jboss with service jboss-outsystems restart


For additional information regarding this configuration in JBoss, please refer to this article.



For Linux systems running Weblogic:

  1. Open the WebLogic administration console http://<server>:7001/console (replace <server> with your server URL)

  2. Go to Environment > Servers > select your server

  3. On the tab “Server Start”

  4. Lock and Edit

  5. Add -Dweblogic.security.SSL.protocolVersion=TLS1 -Dhttps.protocols=TLSv1 to the Arguments edit box

  6. Save and Activate Changes

  7. Restart your server using service weblogic-outsystems restart on the command line


For additional information regarding this configuration in Weblogic, please refer to this article.



Best regards,

Ricardo Silva

Ricardo Silva wrote:

Edit Feb 23, 2015: removed indication of TLSv1.1 or TLSv1.2 since Java 6 does not support them. More about it here.



Hello all

The recently disclosed potential attack on SSLv3, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption) shows how dangerous it is to have legacy, insecure versions of a protocol enabled.

With this attack it is possible for an attacker with control over the network between client and server to force the communication between client and server to be done with SSLv3. This will then allow the attacker to make use of known vulnerabilities of the SSLv3 protocol to compromise the confidentiality of the communication allowing him to obtain sensitive information like session cookies, passwords, credit card data.


Due to the strong requirement that the attacker has control over the network, we believe this vulnerability to be low risk, but with a high impact.


General recommendation for this vulnerability is to disable use of SSLv3 altogether whenever possible.


In this post we will show you how you can disable SSLv3 from OutSystems Platform servers and thus be protected from this vector of attack.


For Windows Server using IIS as the application server:

  1. Open regedit.exe

  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. Add a key named SSL 3.0

  4. Under that key, add two keys named Client and Server

  5. Under the Client key, add a DWORD Value with name DisabledByDefault and set its value to 1

  6. Under the Server key, add a DWORD Value with name Enabled and ensure its value is set to 0

  7. Repeat step 3, 4, 6 for key SSL 2.0: ensure the DWORD Enabled is set to 0.

  8. Restart the server


For detailed instructions with screenshots, please refer to this post.



For Linux systems running JBoss 5.X:

  1. Edit the $JBOSS_HOME/server/outsystems/deploy/jbossweb.sar/server.xml file

  2. Find the HTTPS connector element (the one on port 8443 with sslEnabled="true")

  3. Change the value of the sslProtocol attribute from "TLS" to "TLSv1". Currently only TLSv1 can be used.

  4. Edit the $JBOSS_HOME/bin/run.conf file

  5. Add a new JAVA_OPTS line with JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1"

  6. Restart jboss using service jboss-outsystems restart



For Linux systems running JBoss EAP 6.X or JBoss AS 7.1:

  1. Edit the $JBOSS_HOME/standalone/configuration/standalone-outsystems.xml file

  2. Find all HTTPS connectors ( attribute secure="true" and sub element <ssl> present )

  3. Add a protocol="TLSv1" attribute at the end

  4. Edit the $JBOSS_HOME/bin/standalone-outsystems.conf file

  5. Add a new JAVA_OPTS line with JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1"

  6. Restart jboss with service jboss-outsystems restart


For additional information regarding this configuration in JBoss, please refer to this article.



For Linux systems running Weblogic:

  1. Open the WebLogic administration console http://<server>:7001/console (replace <server> with your server URL)

  2. Go to Environment > Servers > select your server

  3. On the tab “Server Start”

  4. Lock and Edit

  5. Add -Dweblogic.security.SSL.protocolVersion=TLS1 -Dhttps.protocols=TLSv1 to the Arguments edit box

  6. Save and Activate Changes

  7. Restart your server using service weblogic-outsystems restart on the command line


For additional information regarding this configuration in Weblogic, please refer to this article.



Best regards,

Ricardo Silva

DO you have anything on support for TLS 1.1 and above?