CCA Remediation for Poodle Vulnerability

Document ID : KB000029142
Last Modified Date : 14/02/2018
Show Technical Document Details

Configuration change to CCA to fix Poodle Vulnerability.

Applies to CCA versions 12.7.1, 12.8, 12.8.1 

 

Steps to disable sslv3 from Tomcat

 

  • Open the Tomcat server.xml (tomcat/conf/server.xml) in Edit mode.
  • add following attribute sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"   to the tomcat/conf/server.xml file as follow

 

<Connector SSLEnabled="true" clientAuth="false" connectionTimeout="200000" keystoreFile="C:/Program Files/CA/CCA 
Server82/lib/tomcat.keystore" keystorePass="aaaaaa" port="8082" protocol="HTTP/1.1" redirectPort="8443" scheme="https" 
secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />

 

  •  Once done, please restart the CCAServer service.

Verification of the protocol status (Enabled/Disabled)

Install openssl on the system from where we are going to do the verification

open command prompt and change the directory to C:\Program Files\CA\CCA Server\bin and then type openssl and press enter

type the command as follows and press enter

s_client -connect <hostname>:<port> -ssl3

Here the hostname is the host on which CCA is running and the port is the port number on which Tomcat server is running

If the protocol is enabled, it gets connected the host on that port and downloads the server certificate as follows

C:\Program Files\CA\CCA Server\bin>openssl
OpenSSL> s_client -connect hostname:8080 -ssl3
Loading 'screen' into random state - done
CONNECTED(00000180)
depth=0 /O=CA/ST=NY/L=Islandia/C=US/CN=CA/OU=CA Configuration Automation
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=CA/ST=NY/L=Islandia/C=US/CN=CA/OU=CA Configuration Automation
verify return:1
---
Certificate chain
0 s:/O=CA/ST=NY/L=Islandia/C=US/CN=CA/OU=CA Configuration  Automation
i:/O=CA/ST=NY/L=Islandia/C=US/CN=CA/OU=CA Configuration Automation
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICQjCCAasCBgFJZOQC2zANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQKEwJDQTEL
MAkGA1UECBMCTlkxETAPBgNVBAcTCElzbGFuZGlhMQswCQYDVQQGEwJVUzELMAkG
A1UEAxMCQ0ExHjAcBgNVBAsTFUNBIFByb2Nlc3MgQXV0b21hdGlvbjAgFw0xNDEw
MzAwNjI4MjRaGA8yMTE0MTExNjA2MjgyNFowZzELMAkGA1UEChMCQ0ExCzAJBgNV
BAgTAk5ZMREwDwYDVQQHEwhJc2xhbmRpYTELMAkGA1UEBhMCVVMxCzAJBgNVBAMT
AkNBMR4wHAYDVQQLExVDQSBQcm9jZXNzIEF1dG9tYXRpb24wgZ0wDQYJKoZIhvcN
AQEBBQADgYsAMIGHAoGBAMw31v7TuBnc9rxbgAZ6OvrorR6Zwqe7UORwsz6kwkq2
48as0Dh0ITJ4LTUUnG4Y6V73bpv8oCjLMKtQ/MG6CxguXRfoZ7nrimpWgLc2vFfL
of7yJtFIE5OseSrAVBtmOiy6h8WQntvjs48IhEk+xouuWQdBinr6mXO7yv6wYYdz
AgEDMA0GCSqGSIb3DQEBBQUAA4GBADwjCK2I8b3gBt2O9HjCJW0ZPUojqwpZBIY/
rXxBnpHGNum8Arr/YiyN3FMuSNd+qISg+4vTzAWQE5fix5jZqlQBmVLaMTIPUZtR
ZzXxLzPDoU1VSRP+hdxQhytClbvJPADCXeBnYPsAXIiKOnrHfDAPBjmAzGUP7Cc7
SMc3XiBA
-----END CERTIFICATE-----
subject=/O=CA/ST=NY/L=Islandia/C=US/CN=CA/OU=CA Configuration Automation
issuer=/O=CA/ST=NY/L=Islandia/C=US/CN=CA/OU=CA Configuration Automation
---
No client certificate CA names sent
---
SSL handshake has read 1178 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 547EDF7ED59C01EB63FA505938CFAC28C6B735FD66ABE0660714A1F13519CEFF
Session-ID-ctx:
Master-Key: 7D8F2FF6148D7BE7B4FC2F549B83FA91185063AEED2061908287F37161218D9E33CAC37A8A0129AB1E63B2A43D6B5C54
Key-Arg : None
Start Time: 1417600896
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
closed
OpenSSL>

 

If the protocol is disabled, you can see the message as follows. It will not be downloading the server certificate

c:\Program Files\CA\CCA Server\bin>openssl
OpenSSL> s_client -connect hostname:8080 -ssl3
Loading 'screen' into random state - done
CONNECTED(000001A0)
14804:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_
pkt.c:291:

OpenSSL>