Poodle Attack: Check your Yellowfin | Tomcat Config
17 October, 2014
Hi YellowFin,
Tomcat has often activated the SSLv3 Protocol, which ist vunerable.
You can check your Yellowfin-Server here:
https://www.poodlescan.com/
I did not find any Howto for removing ssl v3-Support on Yellowfin.
Here is what I did (with no warranty!)
To disable SSLv3 you have to check your server.xml in appserver/conf
1. remove
"sslProtocols="TLS"
(or sslProtocol="SSL" or similar)
2. add "sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
3. Restart Yellowfin Server
Our server.xml now looks like this.
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="1234568" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
/>
Poodle Scan ist now OK, not vunerable!
Tomcat has often activated the SSLv3 Protocol, which ist vunerable.
You can check your Yellowfin-Server here:
https://www.poodlescan.com/
I did not find any Howto for removing ssl v3-Support on Yellowfin.
Here is what I did (with no warranty!)
To disable SSLv3 you have to check your server.xml in appserver/conf
1. remove
"sslProtocols="TLS"
(or sslProtocol="SSL" or similar)
2. add "sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
3. Restart Yellowfin Server
Our server.xml now looks like this.
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="1234568" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
/>
Poodle Scan ist now OK, not vunerable!
Hi
Thank you for the forward thinking and sharing of your instructions.
It is nice to see somebody looking out for the Yellowfin community.
Mark
Thank you for the forward thinking and sharing of your instructions.
It is nice to see somebody looking out for the Yellowfin community.
Mark
There is a small change to the instructions above to get it working.
The details are slightly different depending on what version of Tomcat you are using. You can check the Tomcat version by viewing the info page (i.e. http://localhost/info.jsp).
eg:
[code]Application Server: Apache Tomcat/7.0.54[/code]
Installations of Yellowfin 7.1 come with Tomcat 7.0.54, and Installations of Yellowfin 7 come with Tomcat 6.0.37.
Tomcat 7.0.54
Add the attribute sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" to the https connector in server.xml. Keep the sslProtocol="TLS" attribute:
[code]
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="password"
/>[/code]
Tomcat 6.0.37
Use the same method, except use the attribute protocols instead of sslEnabledProtocols:
[code]
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false"
sslProtocol="TLS"
protocols="TLSv1.2,TLSv1.1,TLSv1"
URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="password"
/>[/code]
See this link for more information:
http://wiki.apache.org/tomcat/Security/POODLE
Thanks,
Steve
The details are slightly different depending on what version of Tomcat you are using. You can check the Tomcat version by viewing the info page (i.e. http://localhost/info.jsp).
eg:
[code]Application Server: Apache Tomcat/7.0.54[/code]
Installations of Yellowfin 7.1 come with Tomcat 7.0.54, and Installations of Yellowfin 7 come with Tomcat 6.0.37.
Tomcat 7.0.54
Add the attribute sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" to the https connector in server.xml. Keep the sslProtocol="TLS" attribute:
[code]
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="password"
/>[/code]
Tomcat 6.0.37
Use the same method, except use the attribute protocols instead of sslEnabledProtocols:
[code]
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false"
sslProtocol="TLS"
protocols="TLSv1.2,TLSv1.1,TLSv1"
URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="password"
/>[/code]
See this link for more information:
http://wiki.apache.org/tomcat/Security/POODLE
Thanks,
Steve
Note that upgrading Yellowfin does not upgrade the version of Tomcat used. So an installation of Yellowfin 7 that is then upgraded to 7.1 will still use Tomcat 6.0.37.
Thanks,
Steve
Thanks,
Steve