OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-10085) Prevent the possible return of the Robot attack

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-10085) Prevent the possible return of the Robot attack

[ https://issues.apache.org/jira/browse/OFBIZ-10085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16294151#comment-16294151 ]

Jacques Le Roux commented on OFBIZ-10085:
-----------------------------------------

Mmm, what I did had no effect I still see
bq. This host is not vulnerable. However it still allows connections with the problematic RSA encryption ciphers.
at https://robotattack.org/check/?h=demo-trunk.ofbiz.apache.org
SO not sure how to change that, I have to read more about it

> Prevent the possible return of the Robot attack
> -----------------------------------------------
>
> Key: OFBIZ-10085
> URL: https://issues.apache.org/jira/browse/OFBIZ-10085
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 16.11.04
>
>
> After reading https://robotattack.org/ and testing https://robotattack.org/check/?h=demo-trunk.ofbiz.apache.org which returned (same for stable and old)
> bq. This host is not vulnerable. However it still allows connections with the problematic RSA encryption ciphers.
> I concluded that we should remove RSA encryption ciphers from our Tomcat config. I'll use https://tomcat.apache.org/tomcat-8.5-doc/config/http.html as a reference to fix this possible issue.
> If you are more interested in this please read https://mailarchive.ietf.org/arch/msg/tls/t6SKfh49fb4kRET2krZ6UoaEefs

--
This message was sent by Atlassian JIRA
(v6.4.14#64029)