The DCS 6.0.x and CSP 5.2.9 Manager utilize a version of SSL 3.0 that is susceptible to POODLE. Customers should add the entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to <server install>\tomcat\conf\server.xml. All future release will contain this change by default.
Recommend steps:
- Stop CSP/DCS manager service
- Take backup of Server.xml file
- Edit the server.xml file to make the suggested changes using xml editors to ensure that double quotes (") with appropriate encoding will be used.
- Start CSP/DCS manager service
CSP Server 5.2.9 MP1 - MP5 (using Tomcat 7.x)
DCS:SA Server 6.0, 6.0 MP1 (using Tomcat 7.x)
The entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the three SSL Connector configured in server.xml.
These SSL Connectors are for the:
• Tomcat Stand-Alone Agent Service
• Tomcat Stand-Alone Console Service
• Tomcat Stand-Alone Service
The following example shows this change:
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="200" minSpareThreads="50" enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="25" scheme="https" secure="true" SSLEnabled="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="40" minSpareThreads="10" enableLookups="false"
disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="10" scheme="https" secure="true" SSLEnabled="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
CSP Server 5.2.8 – 5.2.8 MP4 and 5.2.9 (using tomcat 5.x):
The entry sslProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml.
• Tomcat Stand-Alone Service
The entry sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml.
• Tomcat Stand-Alone Console Service
• Tomcat Stand-Alone Agent Service
The following example shows this change:
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="200" minSpareThreads="50" maxSpareThreads="100"
enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="25" debug="0" scheme="https" secure="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="40" minSpareThreads="10" maxSpareThreads="25"
enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"
acceptCount="10" debug="0" scheme="https" secure="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"
maxThreads="55" minSpareThreads="5" maxSpareThreads="8"
enableLookups="false" acceptCount="10" maxKeepAliveRequests="1" debug="0"
connectionTimeout="20000" scheme="https" disableUploadTimeout="true" secure="true"
keystorePass="<KeyStorePassword>"
keystoreFile="<KeyStoreFilePath>"
clientAuth="false" sslProtocol="TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="%comma_separated_list_of_ciphers%"/>
How to test the fix for Poodle Vulnerability on SCSP/DCS
Openssl tool can be used for this purpose.
To confirm that communication with sslv3 protocol is not allowed, Please use following openssl commands from a machine where openssl is installed:
- Port 443 is used for Server-agent communication
openssl s_client -debug -state -connect <IP of SP server>:443 -ssl3
- Port 4443 is used for Server-Console communication
openssl s_client -debug -state -connect <IP of SP server>:4443 -ssl3
- Port 8081 is used for accessing webconsole
openssl s_client -debug -state -connect <IP of SP server>:8081 -ssl3
Expected behavior: In all above cases, communication should fail with handshake error "SSL3 alert write:fatal:handshake failure"
To confirm SSL 3.0 is not allowed during webconsole access:
From Internet explorer -> Internet options -> Advanced settings -> Security -> Uncheck the checkbox TLSv1 and keep SSL 3.0 as checked -> Restart IE
Now try to access webconsole using https://<Your CSP ServerIP>:8081/webui/apps/scsp
Expected behavior: You should not be able to access webconsole
To confirm that communication with TLS protocol is allowed use the following commands:
openssl s_client -debug -state -connect <IP of SP server>:443 -tls1
openssl s_client -debug -state -connect <IP of SP server>:4443 -tls1
openssl s_client -debug -state -connect <IP of SP server>:8081 -tls1
Expected behavior: In all above cases, communication should succeed
To confirm TLS is allowed during webconsole access:
From Internet explorer -> Internet options -> Advanced settings -> Security -> Uncheck the checkbox SSL 3.0 and keep TLS 1.0 as checked -> Restart IE
Now try to access webconsole using url https://<Your CSP ServerIP>:8081/webui/apps/scsp
Expected behavior: You should be able to access webconsole
The following are the 3 SSL ciphers listed in Server.xml file
• SSL_RSA_WITH_RC4_128_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_WITH_RC4_128_MD5
To confirm communication with the use of specific cipher is allowed use the following commands:
openssl s_client -debug -cipher "DES-CBC3-SHA" -state -connect <IP of CSP server>:443 -ssl3
openssl s_client -debug -cipher " RC4-SHA " -state -connect <IP of CSP server>:443 -ssl3
openssl s_client -debug -cipher " RC4-MD5" -state -connect <IP of CSP server>:443 -ssl3
Note: The same commands can be used to test with other ports
Expected Behavior: The communication fails with error "SSL3 alert write:fatal:handshake failure"
This concludes that those Ciphers are not used even if those are present in Server.xml