Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #8173: Disable SSLv3 in tomcat #14

Merged
merged 1 commit into from
Nov 3, 2014
Merged

Fixes #8173: Disable SSLv3 in tomcat #14

merged 1 commit into from
Nov 3, 2014

Conversation

ehelms
Copy link
Member

@ehelms ehelms commented Oct 29, 2014

No description provided.

@ehelms ehelms mentioned this pull request Oct 29, 2014
Closed
@stbenjam
Copy link
Member

stbenjam commented Nov 3, 2014

Ran the installer with these changes, and registered a client and it all works, but Red Hat's POODLE 🐩 script (https://access.redhat.com/articles/1232123) still reports vulnerable

[root@katello-centos6-bats tomcat6]# /tmp/poodle.sh localhost 8443
localhost:8443 - Vulnerable!  SSLv3 connection established using SSLv3/AES256-SHA

stbenjam
stbenjam reviewed Nov 3, 2014
View reviewed changes
templates/tomcat/server.xml.erb
@@ -89,6 +89,7 @@
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="want" SSLProtocol="TLS"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to comments on the KB article here:
https://access.redhat.com/solutions/1232233#comment-835403

This line, confusingly, actually enables SSLv3, and TLS.

This does the trick:

92c92
<                clientAuth="want" SSLProtocol="TLS"
---
>                clientAuth="want" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

No POODLE 🐩

[root@katello-centos6-bats tomcat6]# /tmp/poodle.sh localhost 8443
localhost:8443 - Not vulnerable.  Failed to establish SSLv3 connection.

@stbenjam
Copy link
Member

stbenjam commented Nov 3, 2014

ACK

@stbenjam
Copy link
Member

stbenjam commented Nov 3, 2014

(@ehelms Already re-tested client registration as well, everything works fine)

ehelms added a commit that referenced this pull request Nov 3, 2014
@ehelms
Merge pull request #14 from ehelms/fixes-8173
5111306 
Fixes #8173:  Disable SSLv3 in tomcat
@ehelms ehelms merged commit 5111306 into theforeman:master Nov 3, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ehelms @stbenjam