Re: Ofbiz 09-04 piddle bleed fix

Le 02/11/2014 21:12, HRC Boston a écrit :
Did you try to update the embedded Tomcat version? Maybe you need to use Java 7 also...
http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat

Jacques
>
> Thanks!
>
> The poodle bleed fixer :)
>

Hi Jacques--

Thanks for your reply.

I am a developer working with our ops team to fix poodle.

We are hoping for a simple fix for this issue as upgrading the software involves more testing then we are able to cover right now.

A lot of the fixes we have seen suggest that tomcat server.xml file is the place to fix poodle. We tried the ofbiz-containers.xml file as noted because that is where our https connector is set up… but no luck there… maybe we need to add a cipher to server.xml? as in the example at the bottom of this page:
http://blog.ricardoamaro.com/content/poodle-sslv3-vulnerability-fix

Your help is very appreciated.

Has anybody had any luck with this fix?

Update /etc/tomcat7/server.xml file with "sslProtocol" line to:
sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" sslEnabledProtocols="TLSv1"

 Perhaps we should try a version with only tlsv1 enabled.

I have started following these jira tickets here:

https://issues.apache.org/jira/browse/HADOOP-11243?jql=text%20~%20%22sslv3%22

we just tried this fix... no luck.


<property name="sslProtocol" value="TLS"/>
        <property name="sslEnabledProtocols" value="TLSv1"/>

had anyone had luck fixing this in ofbiz?

right now we think we might have more luck with a java fix to SSLUTIL... in the org framework folder

something very much like this...
https://issues.apache.org/jira/browse/HADOOP-11243?jql=text%20~%20%22sslv3%22

Hi Jacques--

Thank you for your help!

I need to make a correction we are using tomcat6.

When I compile with java7, our build fails so we don't have time to upgrade our server or java most likely…


Per these apache tickets:
https://issues.apache.org/jira/browse/HADOOP-11243?jql=text%20~%20%22sslv3%22
https://issues.apache.org/jira/browse/HDFS-7274?jql=text%20~%20%22sslv3%22

So far I have edited all server.xml files to include:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               sslEnabledProtocols="TLSv1"/>

All ofbiz-container.xml,test-container.xml files to include:
            <property name="sslProtocol" value="TLS"/>
                <property name="sslEnabledProtocols" value="TLSv1"/>
               
            <property name="ciphers" value="TLS_RSA_WITH_AES_128_CBC_SHA"/>

And I have edited the SSLUtil.java file like below:


+    private final static String[] enabledProtocols = {"TLSv1"};
 
     private static boolean loadedProps = false;
 
@@ -148,8 +149,9 @@
         KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias);
         TrustManager[] tm = SSLUtil.getTrustManagers();
 
-        SSLContext context = SSLContext.getInstance("SSL");
+        SSLContext context = SSLContext.getInstance("TLS");
         context.init(km, tm, new SecureRandom());
+        context.getDefaultSSLParameters().setProtocols(enabledProtocols);
         return context.getSocketFactory();
     }
 
@@ -162,8 +164,9 @@
             tm = SSLUtil.getTrustManagers();
         }
 
-        SSLContext context = SSLContext.getInstance("SSL");
+        SSLContext context = SSLContext.getInstance("TLS");
         context.init(km, tm, new SecureRandom());
+        context.getDefaultSSLParameters().setProtocols(enabledProtocols);
         return context.getSocketFactory();
     }
 
@@ -179,8 +182,9 @@
         TrustManager[] tm = SSLUtil.getTrustManagers();
         KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias);
 
-        SSLContext context = SSLContext.getInstance("SSL");
+        SSLContext context = SSLContext.getInstance("TLS");
         context.init(km, tm, new SecureRandom());
+        context.getDefaultSSLParameters().setProtocols(enabledProtocols);
         return context.getServerSocketFactory();
     }
 
@@ -188,8 +192,9 @@
         TrustManager[] tm = SSLUtil.getTrustManagers();
         KeyManager[] km = SSLUtil.getKeyManagers(alias);
 
-        SSLContext context = SSLContext.getInstance("SSL");
+        SSLContext context = SSLContext.getInstance("TLS");
         context.init(km, tm, new SecureRandom());
+     context.getDefaultSSLParameters().setProtocols(enabledProtocols);
         return context.getServerSocketFactory();
     }
 



When I run this command after rebooting SSLV3 is still there:

 openssl s_client -connect localhost:portnumberhere -ssl3

SSL handshake has read 2252 bytes and written 306 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit


ANY IDEAS OTHER IDEAS ON HOW TO DISABLE SSLV3??

we had success with this when developing locally:
     <property name="sslProtocol" value="TLSv1"/>
            <property name="protocols" value="TLSv1"/>

the reason is that it is undoucmented to use protocols instead of sslEnabledProtocols

see https://blogs.atlassian.com/2014/10/ssl-poodle/
http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-to-Tomcat-6-0-server-with-https

we get this when trying to connect with ssl3 locally

openssl s_client -connect localhost:portnumberhere -ssl3
CONNECTED(00000003)
6990:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/src/ssl/s3_pkt.c:290:

Thanks Poodle fixer :)

The vulnerability is now fixed in OFBiz trunk and branches releases also https://issues.apache.org/jira/browse/OFBIZ-5848

Tested using nmap from Windows https://www.vanstechelman.eu/content/scan-for-poodle-using-nmap-from-a-windows-machine

Jacques

Le 04/11/2014 19:05, HRC Boston a écrit :