OFBiz › OFBiz - Dev

[jira] [Commented] (OFBIZ-5848) Poodle-disable sslv3

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-5848) Poodle-disable sslv3

[ https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14198596#comment-14198596 ]

Jacques Le Roux commented on OFBIZ-5848:
----------------------------------------

For those that are interested by this vulnerability here are 2 references for browser and server sides:
https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
https://wiki.mozilla.org/Security/Server_Side_TLS

In trunk and releases branches I forced the protocol to TLS 1.2. This is a moot point (we could use TLS 1.0).

Good to know: most web browsers support TLS 1.0 (not enabled by default in Internet Explorer 6).
Browsers that by default support the latest TLS 1.2 version are:
* Google Chrome 30+
* Mozilla Firefox 27+
* Microsoft Internet Explorer 11+
* Opera 17+
* Apple Safari 7+

But time will quickly pass, with modern browsers updated online. So since I was forced to force a protocol version I picked the last one. Also because my tests with nmap were clear/sure with TLS 1.1/2 but not TLS 1.0.

> Poodle-disable sslv3
> --------------------
>
> Key: OFBIZ-5848
> URL: https://issues.apache.org/jira/browse/OFBIZ-5848
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: Trunk
> Environment: unix
> Reporter: Hrc Boston
> Assignee: Jacques Le Roux
> Priority: Critical
> Labels: patch, security
> Fix For: Upcoming Branch, 12.04.06, 13.07.02
>
>
> Hi there--
> This topic seemed relevant because it is a major security issue that recently came up and will affect many ecommerce sites for ofbiz.
> I am in process of trying to disable sslv3 on our version of of
> ofbiz 09-04, which uses tomcat 6.
> This is to eliminate the security vulnerability from poodle bleed.
> http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
> We have tried updating the of ofbiz-containers.xml file like below, but it
> did not disable sslv3. Poodle is still there.
> I have also seen fixes that update server.xml with something similar.
> <property name="sslProtocol" value="TLS"/>
> <property name="sslEnabledProtocols" value="TLSv1"/>
> Has anyone else had luck fixing the poodle issue on Apache ofbiz version
> 09-04?
> Or in any of biz products… where is the best place to fix this in of biz??
> Thanks!
> The Poodle fixer :)

--
This message was sent by Atlassian JIRA
(v6.3.4#6332)