0

Due the possibility of Poodle Attack, I'm trying to disable the SSLv3 on WSO2 ESB-4.6.0.

Following the oficial documentation:

  • Open [product_home]/repository/conf/axis2/axis2.xml
  • Find the transportReceiver configuration element for org.apache.synapse.transport.passthru.PassThroughHttpSSLListener
  • If you are using JDK 1.7 - add the following parameter under transportReceiver. 
    <parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter>

  • Save and start the server

    • It did not worked! I guess it's because the carbon version of ESB-4.6.0 is 4.0.6 instead of 4.2.0 as described in documentation. The java -jar TestSSLServer.jar localhost 8243 output is:

    Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     DHE_RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  (TLSv1.0: idem)
  (TLSv1.1: idem)
  TLSv1.2
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     DHE_RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA256
     DHE_RSA_WITH_AES_128_CBC_SHA256
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    So, my question is: How to disable the SSLv3 on Carbon 4.0.6?

    Community
    • 1
    • 1
    elias
    • 15,010
    • 4
    • 40
    • 65

    2 Answers2

    1

    We can get this done via JVM level ciphers by using Java's 'jdk.tls.disabledAlgorithms' property in java.security file.

    It can be done by using values such as following to the property:

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5, DESede, DH keySize < 2048, RSA keySize < 2048
    Prakhash
    • 644
    • 2
    • 9
    • 20
    0

    AFAIK for wso2 esb 4.6.0 you can disable the SSLv3 for port 9443(servlet port) only by following the official document.The doc is applicable only for carbon 4.2.0 based products

    Jenananthan
    • 1,381
    • 2
    • 10
    • 20