How To Disable SSLv3 to Mitigate Against POODLE Exploit for Crowd
Use Case
If you have enabled the SSL connector for Crowd using <Crowd_install>/conf/server.xml, the default settings do not block SSLv3 connections which can be exploited by the POODLE fallback attack. There are two changes that need to be made to the SSL connector. By default, the SSL connector sets sslProtocol="TLS" which starts both TLS connectors and SSLv3 connectors. You can tell if you are affected by opening <Crowd_install>/conf/server.xml and find the SSL connector that might have been added previously, example follows:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" SSLEnabled="true" keystorePass="<MY_CERTIFICATE_PASSWORD>" />Resolution
Edit the SSL connector in
server.xmlas follows:<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" />In older versions of Tomcat (up to 6.0.32) the property sslEnabledProtocols didn't exist. If you're running Crowd 2.6.X or older, please edit the SSL connector as follows instead:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" />- At this point you can start Crowd and use something like SSLScan to verify that connections can only be made through TLS and not SSLv3.