About Data Center Security: Server (Advanced) and the Poodle SSL 3.0 vulnerability (CVE-2014-3566)

book

Article ID: 161461

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

A security bug affecting SSL 3.0 was released on October 14, 2014.

Resolution

The DCS 6.0.x and CSP 5.2.9 Manager utilize a version of SSL 3.0 that is susceptible to POODLE. Customers should add the entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to <server install>\tomcat\conf\server.xml. All future release will contain this change by default.

Recommend steps: 
  1. Stop CSP/DCS manager service
     
  2. Take backup of Server.xml file
     
  3. Edit the server.xml file to make the suggested changes using xml editors to ensure that double quotes (") with appropriate encoding will be used.
     
  4. Start CSP/DCS manager service 
CSP Server 5.2.9 MP1 - MP5 (using Tomcat 7.x)
DCS:SA Server 6.0, 6.0 MP1 (using Tomcat 7.x)
 
The entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the three SSL Connector configured in server.xml.  
These SSL Connectors are for the:
 
•    Tomcat Stand-Alone Agent Service
•    Tomcat Stand-Alone Console Service
•    Tomcat Stand-Alone Service
 
The following example shows this change:
 
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="200" minSpareThreads="50" enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="25" scheme="https" secure="true" SSLEnabled="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
 
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="40" minSpareThreads="10" enableLookups="false"
disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
 
CSP Server 5.2.8 – 5.2.8 MP4 and 5.2.9 (using tomcat 5.x):
 
The entry sslProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml.
•    Tomcat Stand-Alone Service  

The entry sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml. 
 
•    Tomcat Stand-Alone Console Service
•    Tomcat Stand-Alone Agent Service 

The following example shows this change:
 
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="200" minSpareThreads="50" maxSpareThreads="100"
enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="25" debug="0" scheme="https" secure="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
 ciphers="%comma_separated_list_of_ciphers%"/>
 
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="40" minSpareThreads="10" maxSpareThreads="25"
enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="10" debug="0" scheme="https" secure="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
 
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="55" minSpareThreads="5" maxSpareThreads="8"
enableLookups="false" acceptCount="10" maxKeepAliveRequests="1" debug="0"
connectionTimeout="20000" scheme="https" disableUploadTimeout="true" secure="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/> 
 

 How to test the fix for Poodle Vulnerability on SCSP/DCS
 

Openssl tool can be used for this purpose.
 
 
To confirm that communication with sslv3 protocol is not allowed, Please use following openssl commands from a machine where openssl is installed:
 
  • Port 443 is used for Server-agent communication

    openssl s_client -debug -state -connect <IP of SP server>:443 -ssl3 
  • Port 4443 is used for Server-Console communication

     openssl s_client -debug -state -connect <IP of SP server>:4443 -ssl3 
  • Port 8081 is used for accessing webconsole

     openssl s_client -debug -state -connect <IP of SP server>:8081 -ssl3

    Expected behavior:  In all above cases, communication should fail with handshake error "SSL3 alert write:fatal:handshake failure"        
              
To confirm SSL 3.0 is not allowed during webconsole access: 
 
 
 From Internet explorer -> Internet options -> Advanced settings -> Security -> Uncheck the checkbox TLSv1 and keep SSL 3.0 as checked -> Restart IE
 Now try to access webconsole using  https://<Your CSP ServerIP>:8081/webui/apps/scsp
 
 Expected behavior:  You should not be able to access webconsole    
 
 
To confirm that communication with TLS protocol is allowed use the following commands:
 
openssl s_client -debug -state -connect <IP of SP server>:443 -tls1
 
openssl s_client -debug -state -connect <IP of SP server>:4443 -tls1
 
openssl s_client -debug -state -connect <IP of SP server>:8081 -tls1
 
Expected behavior:  In all above cases, communication should succeed
 
To confirm TLS is allowed during webconsole access:
 
  From Internet explorer -> Internet options -> Advanced settings -> Security -> Uncheck the checkbox SSL 3.0 and keep TLS 1.0 as checked -> Restart IE
Now try to access webconsole using url  https://<Your CSP ServerIP>:8081/webui/apps/scsp
 
Expected behavior:  You should be able to access webconsole    
  
The following are the 3 SSL ciphers listed in Server.xml file 
 
• SSL_RSA_WITH_RC4_128_SHA         
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_WITH_RC4_128_MD5
 
To confirm communication with the use of specific cipher is allowed use the following commands:
 
 openssl s_client -debug -cipher "DES-CBC3-SHA" -state -connect <IP of CSP server>:443 -ssl3
 
 openssl s_client -debug -cipher " RC4-SHA " -state -connect <IP of CSP server>:443 -ssl3
 
 openssl s_client -debug -cipher " RC4-MD5" -state -connect <IP of CSP server>:443 -ssl3
 
Note:  The same commands can be used to test with other ports
 
For Cipher parameters to be used in openssl command, please refer: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
Expected Behavior:  The communication fails with error "SSL3 alert write:fatal:handshake failure"
This concludes that those Ciphers are not used even if those are present in Server.xml