OFBiz › OFBiz - Notifications

[jira] [Closed] (OFBIZ-10085) Prevent the possible return of the Robot attack

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Closed] (OFBIZ-10085) Prevent the possible return of the Robot attack

[ https://issues.apache.org/jira/browse/OFBIZ-10085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-10085.
-----------------------------------
Resolution: Incomplete

Mmm, what I did had no effect I still see
bq. This host is not vulnerable. However it still allows connections with the problematic RSA encryption ciphers.
at https://robotattack.org/check/?h=demo-trunk.ofbiz.apache.org

I think the test server speaks about our HTTPD and not our embedded Tomcat.

Then there is not much we can do (demos are safe anyway) but maybe for other service providers to check on their side. So I finally close as incomplete and let interested people check by themselves...

> Prevent the possible return of the Robot attack
> -----------------------------------------------
>
> Key: OFBIZ-10085
> URL: https://issues.apache.org/jira/browse/OFBIZ-10085
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 16.11.04
>
>
> After reading https://robotattack.org/ and testing https://robotattack.org/check/?h=demo-trunk.ofbiz.apache.org which returned (same for stable and old)
> bq. This host is not vulnerable. However it still allows connections with the problematic RSA encryption ciphers.
> I concluded that we should remove RSA encryption ciphers from our Tomcat config. I'll use https://tomcat.apache.org/tomcat-8.5-doc/config/http.html as a reference to fix this possible issue.
> If you are more interested in this please read https://mailarchive.ietf.org/arch/msg/tls/t6SKfh49fb4kRET2krZ6UoaEefs

--
This message was sent by Atlassian JIRA
(v6.4.14#64029)