...
| Table of Contents | ||||
|---|---|---|---|---|
|
Disable SSL
...
on Carbon server
| Info |
|---|
It is necessary to disable SSL version 3 in Carbon servers because of a bug (Poodle Attack) in the SSL version 3 protocol that could expose critical data encrypted between clients and servers. The Poodle Attack makes the system vulnerable by telling the client that the server does not support the more secure TLS (Transport Layer Security) protocol, and thereby forces it to connect via SSL 3. 0. The effect of this bug can be mitigated by disabling SSL version 3 protocol for your server. |
Follow the steps given below to disable SSL 3.0 support on WSO2 Carbon 4.3.0 based servers.
- Open the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xmlfile. - Make a backup of the
catalina-server.xmlfile and stop the Carbon server. - Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the
sslProtocolas TLS).If you are using JDK 1.6, remove the
sslProtocol="TLS"attribute from the configuration and replace it withsslEnabledProtocols="TLSv1"as shown below.Code Block <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslEnabledProtocols="TLSv1"If you are using JDK 1.7, remove the
sslProtocol="TLS"attribute from the above configuration and replace it withsslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"as shown below.Code Block <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
Start the server.
Note In some Carbon products, such as WSO2 ESB and WSO2 API Manager, pass-thru transports are enabled. Therefore, to disable SSL version 3 in such products, the
axis2.xmlfile stored in the<PRODUCT_HOME>/repository/conf/axis2/directory should also be configured.
To test if SSL version 3 is disabled:
- Download
TestSSLServer.jarfrom here. Execute the following command to test the transport:
Code Block java -jar TestSSLServer.jar localhost 9443
The output of the command before and after disabling SSL version 3 is shown below.
Before SSL version 3 is disabled:Code Block Supported versions: SSLv3 TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): SSLv3 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA (TLSv1.0: idem)After SSL version 3 is disabled:
Code Block Supported versions: TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.0 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA
...
- Go to the
catalina-server.xmlfile in the<PRODUCT_HOME>/repository/conf/tomcatdirectory. - Make a backup of the
catalina-server.xmlfile and stop the Carbon server (same as for disabling SSL version 3). Add the
cipherattribute to the existing configuration in thecatalina-server.xmlfile by adding the list of ciphers that you want your server to support as follows:ciphers="<cipher-name>,<cipher-name>".Code Block ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"- Start the server.