[jira] [Commented] (OFBIZ-5848) Poodle-disable sslv3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-5848) Poodle-disable sslv3

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14209981#comment-14209981 ]

Jacques Le Roux commented on OFBIZ-5848:
----------------------------------------

Ha no, it was already up to date when I tried. I did a svn up just before. So it seems the 1st time it failed despite your change. The second time, since I had other stuff to do and tests consume much ressources, I diminished the Java proces priority (from 8 normal to 4 background). It's maybe the reason it worked. I will retry the 2 cases later. Anyway I'd not worry too much about that, I think nowaydays nobody run a production site on Windows Server ;)

> Poodle-disable sslv3
> --------------------
>
>                 Key: OFBIZ-5848
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-5848
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: Trunk
>         Environment: unix
>            Reporter: Poodle Fixer
>            Assignee: Jacques Le Roux
>            Priority: Critical
>              Labels: patch, security
>             Fix For: Upcoming Branch, 12.04.06, 13.07.02
>
>         Attachments: OFBIZ-5848-java17-12.04.patch, OFBIZ-5848-java17-12.04.patch
>
>
> {panel:title= WARNING ABOUT THE FIX|bgColor=red}
> *We will certainly have to evolve this in the future because this correction forces the protocol to TLSv1.2*
> {panel}
> [~jacques.le.roux]: I have put a reminder for myself to follow the status of the Poodle issue in Tomcat
> ----
> Hi there--
> This topic seemed relevant because it is a major security issue that recently came up and will affect many ecommerce sites for ofbiz.
> I am in process of trying to disable sslv3 on our version of of
> ofbiz uses tomcat 6.
> This is to eliminate the security vulnerability from poodle bleed.
> http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
> We have tried updating the of ofbiz-containers.xml file like below, but it
> did not disable sslv3. Poodle is still there.
> I have also seen fixes that update server.xml with something similar.
> <property name="sslProtocol" value="TLS"/>  
> <property name="sslEnabledProtocols" value="TLSv1"/>  
> Has anyone else had luck fixing the poodle issue on Apache ofbiz?
> Or in any of biz products… where is the best place to fix this in of biz??
> Thanks!
> The Poodle fixer :)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Reply | Threaded
Open this post in threaded view
|

Re: [jira] [Commented] (OFBIZ-5848) Poodle-disable sslv3

Jacopo Cappellato-4
Actually I have fixed the test after you reported the failure; after that
you reported a success... or am I missing something?

On Thu, Nov 13, 2014 at 5:27 PM, Jacques Le Roux (JIRA) <[hidden email]>
wrote:

>
>     [
> https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14209981#comment-14209981
> ]
>
> Jacques Le Roux commented on OFBIZ-5848:
> ----------------------------------------
>
> Ha no, it was already up to date when I tried. I did a svn up just before.
> So it seems the 1st time it failed despite your change. The second time,
> since I had other stuff to do and tests consume much ressources, I
> diminished the Java proces priority (from 8 normal to 4 background). It's
> maybe the reason it worked. I will retry the 2 cases later. Anyway I'd not
> worry too much about that, I think nowaydays nobody run a production site
> on Windows Server ;)
>
> > Poodle-disable sslv3
> > --------------------
> >
> >                 Key: OFBIZ-5848
> >                 URL: https://issues.apache.org/jira/browse/OFBIZ-5848
> >             Project: OFBiz
> >          Issue Type: Bug
> >    Affects Versions: Trunk
> >         Environment: unix
> >            Reporter: Poodle Fixer
> >            Assignee: Jacques Le Roux
> >            Priority: Critical
> >              Labels: patch, security
> >             Fix For: Upcoming Branch, 12.04.06, 13.07.02
> >
> >         Attachments: OFBIZ-5848-java17-12.04.patch,
> OFBIZ-5848-java17-12.04.patch
> >
> >
> > {panel:title= WARNING ABOUT THE FIX|bgColor=red}
> > *We will certainly have to evolve this in the future because this
> correction forces the protocol to TLSv1.2*
> > {panel}
> > [~jacques.le.roux]: I have put a reminder for myself to follow the
> status of the Poodle issue in Tomcat
> > ----
> > Hi there--
> > This topic seemed relevant because it is a major security issue that
> recently came up and will affect many ecommerce sites for ofbiz.
> > I am in process of trying to disable sslv3 on our version of of
> > ofbiz uses tomcat 6.
> > This is to eliminate the security vulnerability from poodle bleed.
> >
> http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
> > We have tried updating the of ofbiz-containers.xml file like below, but
> it
> > did not disable sslv3. Poodle is still there.
> > I have also seen fixes that update server.xml with something similar.
> > <property name="sslProtocol" value="TLS"/>
> > <property name="sslEnabledProtocols" value="TLSv1"/>
> > Has anyone else had luck fixing the poodle issue on Apache ofbiz?
> > Or in any of biz products… where is the best place to fix this in of
> biz??
> > Thanks!
> > The Poodle fixer :)
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.3.4#6332)
>