cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Mitigations for POODLE vulnerability
Date Tue, 04 Nov 2014 15:01:16 GMT
> Will it also be disabled by default in the CXF client at the next release?

Yes.

Colm.

On Mon, Nov 3, 2014 at 4:52 PM, David Roytenberg (Consultant) <
David.Roytenberg@optimalpayments.com> wrote:

> Will it also be disabled by default in the CXF client at the next release?
>
> David
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Monday, November 03, 2014 11:22 AM
> To: users@cxf.apache.org
> Subject: Re: Mitigations for POODLE vulnerability
>
> I'm not sure if there is a way to exclude it using existing configuration.
> However, from the next releases of CXF, it will be disabled by default.
>
> Colm.
>
> On Mon, Nov 3, 2014 at 4:18 PM, geecxf <amiri@ge.com> wrote:
>
> > A security vulnerability has been discovered with SSLv3 protocol. It
> > is also called POODLE attack.
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
> >
> > We would like to mitigate against this by disabling SSL for our
> > various jetty engines. However, I can't seem to find a way to exclude
> > this protocol using the CXF httpj configuration namespace. Thus far I
> have tried:
> >
> > 1. Setting the "secureSocketProtocol" property for the
> tlsServerParameters.
> > 2. Using the -Dhttps.protocols system property as suggested in another
> > thread.
> >
> > Here's an example configuration:
> >
> >         <httpj:engine port="${https.port}">
> >             <httpj:tlsServerParameters
> > secureSocketProtocol="${https.secureSocketProtocol}">
> >                 <sec:keyManagers keyPassword="${https.keyManagerPwd}">
> >                     <sec:keyStore
> >                         url="${https.serviceKeyStoreUrl}"
> >                         password="${https.serviceKeyStorePwd}"
> >                         type="JKS" />
> >                 </sec:keyManagers>
> >                 <sec:trustManagers>
> >                     <sec:keyStore
> >                         url="${https.trustKeyStoreUrl}"
> >                         password="${https.trustKeyStorePwd}"
> >                         type="JKS" />
> >                 </sec:trustManagers>
> >                 <sec:cipherSuitesFilter>
> >                     <sec:include>.*_WITH_AES_128_.*</sec:include>
> >                     <sec:include>.*_WITH_AES_256_.*</sec:include>
> >                     <sec:exclude>.*_WITH_NULL_.*</sec:exclude>
> >                     <sec:exclude>.*_DH_anon_.*</sec:exclude>
> >                 </sec:cipherSuitesFilter>
> >                 <sec:clientAuthentication
> >                     want="false"
> >                     required="false" />
> >                 <sec:certAlias>${https.certAlias}</sec:certAlias>
> >             </httpj:tlsServerParameters>
> >             <httpj:threadingParameters
> >                 minThreads="${webservice.minThreads}"
> > maxThreads="${webservice.maxThreads}" />
> >         </httpj:engine>
> >     </httpj:engine-factory>
> >
> > Is there a way to modify the configuration above to exclude all use of
> > SSLv3?
> >
> >
> >
> > --
> > View this message in context:
> > http://cxf.547215.n5.nabble.com/Mitigations-for-POODLE-vulnerability-t
> > p5750618.html Sent from the cxf-user mailing list archive at
> > Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> --
> WARNING
> -------
> This electronic message and its attachments may contain confidential,
> proprietary or legally privileged information, which is solely for the use
> of the intended recipient.  No privilege or other rights are waived by any
> unintended transmission or unauthorized retransmission of this message.  If
> you are not the intended recipient of this message, or if you have received
> it in error, you should immediately stop reading this message and delete it
> and all attachments from your system.  The reading, distribution, copying
> or other use of this message or its attachments by unintended recipients is
> unauthorized and may be unlawful.  If you have received this e-mail in
> error, please notify the sender.
>
> AVIS IMPORTANT
> --------------
> Ce message électronique et ses pièces jointes peuvent contenir des
> renseignements confidentiels, exclusifs ou légalement privilégiés destinés
> au seul usage du destinataire visé.  L’expéditeur original ne renonce à
> aucun privilège ou à aucun autre droit si le présent message a été transmis
> involontairement ou s’il est retransmis sans son autorisation.  Si vous
> n’êtes pas le destinataire visé du présent message ou si vous l’avez reçu
> par erreur, veuillez cesser immédiatement de le lire et le supprimer, ainsi
> que toutes ses pièces jointes, de votre système.  La lecture, la
> distribution, la copie ou tout autre usage du présent message ou de ses
> pièces jointes par des personnes autres que le destinataire visé ne sont
> pas autorisés et pourraient être illégaux.  Si vous avez reçu ce courrier
> électronique par erreur, veuillez en aviser l’expéditeur.
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message