[
https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14198344#comment-14198344 ]
Jacques Le Roux edited comment on OFBIZ-5848 at 11/18/14 10:45 AM:
-------------------------------------------------------------------
Hi The Poodle fixer,
It was not only a Tomcat 7 issue. We had the same un trunk HEAD.
Following your indications in above links I found the solution for the trunk and fixed vulnerabilty in trunk HEAD using TLSv1.2 as explained at the bottom of this comment
https://blogs.atlassian.com/2014/10/ssl-poodle/#comment-190966The same apply to supported releases branches since they all use Tomcat 7.
Committed in
trunk r1636864
R13.07 1636866
R12.04 1636867
Thanks Poodle fixer :)
was (Author: jacques.le.roux):
Hi The Poodle fixer,
It was not only a Tomcat 7 issue. We had the same un trunk HEAD.
Following your indications in above links I found the solution for the trunk and fixed vulnerabilty in trunk HEAD using TLSv1.2 as explained at the bottom of this comment
https://blogs.atlassian.com/2014/10/ssl-poodle/#comment-190966The same apply to supported releases branches since they all use Tomcat 7.
Committed in
trunk r1636864
R13.07 1636866
R12.04 1636867
{panel:title= WARNING|bgColor=red}
*We will certainly have to evolve this in the future because this correction forces the protocol to TLSv1.2*
{panel}
Thanks Poodle fixer :)
> Poodle-disable sslv3
> --------------------
>
> Key: OFBIZ-5848
> URL:
https://issues.apache.org/jira/browse/OFBIZ-5848> Project: OFBiz
> Issue Type: Bug
> Affects Versions: Trunk
> Environment: unix
> Reporter: Poodle Fixer
> Assignee: Jacques Le Roux
> Priority: Critical
> Labels: patch, security
> Fix For: Upcoming Branch, 12.04.06, 13.07.02
>
> Attachments: OFBIZ-5848-java17-12.04.patch, OFBIZ-5848-java17-12.04.patch, OFBIZ-5848-java17-12.04.patch
>
>
> Hi there--
> This topic seemed relevant because it is a major security issue that recently came up and will affect many ecommerce sites for ofbiz.
> I am in process of trying to disable sslv3 on our version of of
> ofbiz uses tomcat 6.
> This is to eliminate the security vulnerability from poodle bleed.
>
http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed> We have tried updating the of ofbiz-containers.xml file like below, but it
> did not disable sslv3. Poodle is still there.
> I have also seen fixes that update server.xml with something similar.
> <property name="sslProtocol" value="TLS"/>
> <property name="sslEnabledProtocols" value="TLSv1"/>
> Has anyone else had luck fixing the poodle issue on Apache ofbiz?
> Or in any of biz products… where is the best place to fix this in of biz??
> Thanks!
> The Poodle fixer :)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
