Hi Jacques-- Thank you for your help!
We are in a bit of a pickle with the poodle bleed because we will loose our trustwave certification if we don't disable sslv3 very soon… so I hope you don't mind me contacting you. I need to make a correction we are using tomcat6 and java6 with of biz 09-04… When I compile with java7, our build fails so we don't have time to upgrade our server or java most likely… Per these apache tickets: https://issues.apache.org/jira/browse/HADOOP-11243?jql=text%20~%20%22sslv3%22 https://issues.apache.org/jira/browse/HDFS-7274?jql=text%20~%20%22sslv3%22 So far I have edited all server.xml files to include: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1" keystoreFile="${ofbizHome}/framework/base/config/ofbizssl.jks" keystorePass="changeit"/> All ofbiz-container.xml,test-container.xml files to include: <property name="sslProtocol" value="TLS"/> <property name="sslEnabledProtocols" value="TLSv1"/> <property name="ciphers" value="TLS_RSA_WITH_AES_128_CBC_SHA"/> And I have edited the SSLUtil.java file like below: + private final static String[] enabledProtocols = {"TLSv1"}; private static boolean loadedProps = false; @@ -148,8 +149,9 @@ KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias); TrustManager[] tm = SSLUtil.getTrustManagers(); - SSLContext context = SSLContext.getInstance("SSL"); + SSLContext context = SSLContext.getInstance("TLS"); context.init(km, tm, new SecureRandom()); + context.getDefaultSSLParameters().setProtocols(enabledProtocols); return context.getSocketFactory(); } @@ -162,8 +164,9 @@ tm = SSLUtil.getTrustManagers(); } - SSLContext context = SSLContext.getInstance("SSL"); + SSLContext context = SSLContext.getInstance("TLS"); context.init(km, tm, new SecureRandom()); + context.getDefaultSSLParameters().setProtocols(enabledProtocols); return context.getSocketFactory(); } @@ -179,8 +182,9 @@ TrustManager[] tm = SSLUtil.getTrustManagers(); KeyManager[] km = SSLUtil.getKeyManagers(ks, password, alias); - SSLContext context = SSLContext.getInstance("SSL"); + SSLContext context = SSLContext.getInstance("TLS"); context.init(km, tm, new SecureRandom()); + context.getDefaultSSLParameters().setProtocols(enabledProtocols); return context.getServerSocketFactory(); } @@ -188,8 +192,9 @@ TrustManager[] tm = SSLUtil.getTrustManagers(); KeyManager[] km = SSLUtil.getKeyManagers(alias); - SSLContext context = SSLContext.getInstance("SSL"); + SSLContext context = SSLContext.getInstance("TLS"); context.init(km, tm, new SecureRandom()); + context.getDefaultSSLParameters().setProtocols(enabledProtocols); return context.getServerSocketFactory(); } @@ -241,10 +246,16 @@ public static synchronized void loadJsseProperties(boolean debug) { if (!loadedProps) { - String protocol = UtilProperties.getPropertyValue("jsse.properties", "java.protocol.handler.pkgs", "NONE"); + //https.protocols + System.setProperty("https.protocols","TLSv1"); + + String httpsProtocols = UtilProperties.getPropertyValue("jsse.properties", "https.protocols", "NONE"); + Debug.logWarning("httpsPrototocols\n\n\n\n"+httpsProtocols, module); + String protocol = UtilProperties.getPropertyValue("jsse.properties", "java.protocol.handler.pkgs", "NONE"); When I run this command after rebooting SSLV3 is still there: openssl s_client -connect localhost:portnumberhere -ssl3 SSL handshake has read 2252 bytes and written 306 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES128-SHA Session-ID: 54581E11E7D76F831163F623929471D93BF7C9504864A7371F37D9E5800A85CE Session-ID-ctx: Master-Key: 9E558673AC149A603F16DCEA8AB637CF2DB5EDD9582A7191AD519574906D569E2EBCCB5DF1D96957DD7115F134511EBB Key-Arg : None Start Time: 1415061009 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- ANY IDEAS OTHER IDEAS ON HOW TO DISABLE SSLV3?? -- View this message in context: http://ofbiz.135035.n4.nabble.com/Re-Ofbiz-09-04-piddle-bleed-fix-tp4657772p4657820.html Sent from the OFBiz - User mailing list archive at Nabble.com.
