svn commit: r1818402 - /ofbiz/ofbiz-framework/trunk/framework/catalina/ofbiz-component.xml

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1818402 - /ofbiz/ofbiz-framework/trunk/framework/catalina/ofbiz-component.xml

jleroux@apache.org
Author: jleroux
Date: Sat Dec 16 13:46:35 2017
New Revision: 1818402

URL: http://svn.apache.org/viewvc?rev=1818402&view=rev
Log:
Fixed: Prevent the possible return of the Robot attack
(OFBIZ-10085)

After reading https://robotattack.org/ and testing
https://robotattack.org/check/?h=demo-trunk.ofbiz.apache.org which returned
(same for stable and old)

    This host is not vulnerable.
    However it still allows connections with the problematic RSA encryption
    ciphers.

I concluded that we should remove RSA encryption ciphers from our Tomcat config.
See https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

This removes RSA from ciphers and also sslProtocol which is now TLS by default

Modified:
    ofbiz/ofbiz-framework/trunk/framework/catalina/ofbiz-component.xml

Modified: ofbiz/ofbiz-framework/trunk/framework/catalina/ofbiz-component.xml
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/catalina/ofbiz-component.xml?rev=1818402&r1=1818401&r2=1818402&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/catalina/ofbiz-component.xml (original)
+++ ofbiz/ofbiz-framework/trunk/framework/catalina/ofbiz-component.xml Sat Dec 16 13:46:35 2017
@@ -147,8 +147,7 @@ under the License.
             <property name="keystoreType" value="JKS"/>
             <property name="keyAlias" value="ofbiz"/>
             <property name="keyPass" value="changeit"/>
-            <property name="sslProtocol" value="TLS"/>
-            <property name="ciphers" value=""/>
+            <property name="ciphers" value="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"/>
         </property>
     </container>
     <container name="catalina-container-test" loaders="test" class="org.apache.ofbiz.catalina.container.CatalinaContainer">
@@ -207,8 +206,7 @@ under the License.
             <property name="keystoreFile" value="framework/base/config/ofbizssl.jks"/>
             <property name="keystorePass" value="changeit"/>
             <property name="keystoreType" value="JKS"/>
-            <property name="sslProtocol" value="TLS"/>
-            <property name="ciphers" value=""/>
+            <property name="ciphers" value="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"/>
         </property>
     </container>
     <!--