CODEWITHSUNDEEP
wso2poodle-attackwso2-esb
elias
elias

Reputation: 15510

Unable to disable SSLv3 on WSO2 Carbon 4.0.6

Due the possibility of Poodle Attack, I'm trying to disable the SSLv3 on WSO2 ESB-4.6.0.

Following the oficial documentation:

  • Open [product_home]/repository/conf/axis2/axis2.xml
  • Find the transportReceiver configuration element for org.apache.synapse.transport.passthru.PassThroughHttpSSLListener
  • If you are using JDK 1.7 - add the following parameter under transportReceiver.

    <parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter>

  • Save and start the server

    • It did not worked! I guess it's because the carbon version of ESB-4.6.0 is 4.0.6 instead of 4.2.0 as described in documentation. The java -jar TestSSLServer.jar localhost 8243 output is:

    Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     DHE_RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  (TLSv1.0: idem)
  (TLSv1.1: idem)
  TLSv1.2
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     DHE_RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA256
     DHE_RSA_WITH_AES_128_CBC_SHA256
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    So, my question is: How to disable the SSLv3 on Carbon 4.0.6?

    Upvotes: 0

    Views: 298

    Answers (2)

    Prakhash
    Prakhash

    Reputation: 654

    We can get this done via JVM level ciphers by using Java's 'jdk.tls.disabledAlgorithms' property in java.security file.

    It can be done by using values such as following to the property:

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5, DESede, DH keySize < 2048, RSA keySize < 2048

    Upvotes: 1

    Jenananthan
    Jenananthan

    Reputation: 1401

    AFAIK for wso2 esb 4.6.0 you can disable the SSLv3 for port 9443(servlet port) only by following the official document.The doc is applicable only for carbon 4.2.0 based products

    Upvotes: 0

    Related Questions