Introduction:
Steps to disable SSLv3 protocol (POODLE VULNERABILITY) on Appservers that are supported by Identity Governance
This applies to CA Identity Governance
What is the POODLE Vulnerability?
The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message. (CA Support official statement can be reviewed by following the link http://www.ca.com/us/support/ca-support-online/product-content/recommended-reading/security-notices/tls-poodle-vulnerability-statement.aspx )
Who is affected by this Vulnerability?
This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software implementing a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited.
Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc.
How Can I Protect Myself?
Servers and clients should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.
Instructions:
Steps to disable SSLv3 protocol on JBoss and WebSphere:
Steps to disable SSLv3 protocol on JBoss5.x (Distributed with Identity Governance)
<Connector protocol="HTTP/1.1" URIEncoding="UTF-8" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" keystorePass="rmi+ssl"
sslProtocols = " TLSv1,TLSv1.1,TLSv1.2" />
Steps to disable SSLv3 protocol on JBoss6.x EAP:
<ssl name="ssl" password="changeit" protocol="TLSv1,TLSv1.1,TLSv1.2"key-alias="jbosskey" certificate-key-file="../standalone/configuration/server.keystore"/>
Steps to disable SSLv3 protocol on WebSphere:
Login to ibm admin console
NOTE: The Protocol label SSL_TLS will not disable SSLv3. This means protocol supports SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. So select TLS, TLSv1, TLSv1.1 or TLSv1.2 only. Please refer below screenshot for more info.
How to check if SSLv3 is disabled:
openssl s_client -connect <machine_name>:<ssl_port> -ssl3
Loading 'screen' into random state - done
CONNECTED(00000170)
7468:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:./ssl/s3_pkt.c:530:
Loading 'screen' into random state - done
CONNECTED(00000170)
Server certificate
-----BEGIN CERTIFICATE-----
MIIB7jCCAZgCEMo7NdTe8IBenV/2c4NGZ/QwDQYJKoZIhvcNAQEEBQAweTELMAkG
A1UEBhMCVVMxEDAOBgNVBAgTB015U3RhdGUxDzANBgNVBAcTBk15VG93bjEXMBUG
A1UEChMOTXlPcmdhbml6YXRpb24xGTAXBgNVBAsTEEZPUiBURVNUSU5HIE9OTFkx
EzARBgNVBAMTCkNlcnRHZW5DQUIwHhcNMTQxMTE4MTIxMTQ2WhcNMjkxMTE5MTIx
MTQ2WjB8MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTXlTdGF0ZTEPMA0GA1UEBwwG
TXlUb3duMRcwFQYDVQQKDA5NeU9yZ2FuaXphdGlvbjEZMBcGA1UECwwQRk9SIFRF
U1RJTkcgT05MWTEWMBQGA1UEAwwNU1VMVEEwMi04eDY0ZTBcMA0GCSqGSIb3DQEB
AQUAA0sAMEgCQQDDWNUgPAmWB9f/4mpKEXeNG13gVjHk4GTpnUuEVisBkJGw86oY
u+JqjgtnlXdbRIUx0MYDl5noEXK114zwcq4vAgMBAAEwDQYJKoZIhvcNAQEEBQAD
QQCR34QFhqqjKoP1al13jZlJGvmBX5zZl0Hxh7IjFiwo68LrSiPLHNL4z9PHbuRn
HwisRAXddwAImpisalHRTCG+
-----END CERTIFICATE-----
No client certificate CA names sent
---
SSL handshake has read 628 bytes and written 206 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-MD5
Session-ID: 29CF95B2940A63A7C9825089F9CA29AC
Session-ID-ctx:
Master-Key: 48B579BAE0F83617737187B69C07D95DAA7F61E846D3EFDDC9F7560079C521605FF4F9FA50735C55F46932EB8805ACFD
Key-Arg : None
Start Time: 1416809004
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)