Jacques Le Roux created OFBIZ-10085:
---------------------------------------
Summary: Prevent the possible return of the Robot attack
Key: OFBIZ-10085
URL:
https://issues.apache.org/jira/browse/OFBIZ-10085 Project: OFBiz
Issue Type: Sub-task
Components: framework
Affects Versions: Trunk
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Priority: Minor
Fix For: Upcoming Release
After reading
https://robotattack.org/ and testing
https://robotattack.org/check/?h=demo-trunk.ofbiz.apache.org which returned (same for stable and old)
bq. This host is not vulnerable. However it still allows connections with the problematic RSA encryption ciphers.
I concluded that we should remove RSA encryption ciphers from our Tomcat config. I'll use
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html as a reference to fix this possible issue.
If you are more interested in this please read
https://mailarchive.ietf.org/arch/msg/tls/t6SKfh49fb4kRET2krZ6UoaEefs--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
Locked
