Forum

This content is now out of date.

Visit Our Community

Poodle Attack: Check your Yellowfin | Tomcat Config

Hi YellowFin,

Tomcat has often activated the SSLv3 Protocol, which ist vunerable.
You can check your Yellowfin-Server here:

https://www.poodlescan.com/

I did not find any Howto for removing ssl v3-Support on Yellowfin.
Here is what I did (with no warranty!)


To disable SSLv3 you have to check your server.xml in appserver/conf

1. remove
"sslProtocols="TLS"
(or sslProtocol="SSL" or similar)

2. add "sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"

3. Restart Yellowfin Server

Our server.xml now looks like this.

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="1234568" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
/>


Poodle Scan ist now OK, not vunerable!
Hi

Thank you for the forward thinking and sharing of your instructions.
It is nice to see somebody looking out for the Yellowfin community.

Mark
There is a small change to the instructions above to get it working.

The details are slightly different depending on what version of Tomcat you are using. You can check the Tomcat version by viewing the info page (i.e. http://localhost/info.jsp).
eg:
[code]Application Server: Apache Tomcat/7.0.54[/code]

Installations of Yellowfin 7.1 come with Tomcat 7.0.54, and Installations of Yellowfin 7 come with Tomcat 6.0.37.

Tomcat 7.0.54

Add the attribute sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" to the https connector in server.xml. Keep the sslProtocol="TLS" attribute:

[code] SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="password"
/>[/code]

Tomcat 6.0.37

Use the same method, except use the attribute protocols instead of sslEnabledProtocols:

[code] maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false"
sslProtocol="TLS"
protocols="TLSv1.2,TLSv1.1,TLSv1"
URIEncoding="UTF-8"
keystoreFile="${catalina.home}/conf/tomcat.key"
keystorePass="password"
/>[/code]

See this link for more information:
http://wiki.apache.org/tomcat/Security/POODLE

Thanks,
Steve
Note that upgrading Yellowfin does not upgrade the version of Tomcat used. So an installation of Yellowfin 7 that is then upgraded to 7.1 will still use Tomcat 6.0.37.

Thanks,
Steve

Thanks for trying Yellowfin

Please complete the form below to request your copy of Yellowfin today.