searchforsolutions

Just another WordPress.com site

Fixing the POODLE issue in Java client (HTTPSUrlConnection/Webservices etc.) , securing embedded jetty , fixing a .NET client stack (WCF etc.) and securing IIS7/8


– If your app is going to make HTTPS calls (act like a client) or for all Java apps using HTTPSUrlConnection set the following system property java.lang.System.setProperty(“https.protocols”,
“TLSv1,TLSv1.1,TLSv1.2”); or set the propety before starting the application with “java -Dhttps.protocols=”TLSv1,TLSv1.1,TLSv1.2″ MyAPP”

– To disable SSLv3 in embedded Jetty(v9.x)  setup the SslContextFactory

sslContextFactory.addExcludeProtocols(“SSLv3”);

sslContextFactory.setExcludeCipherSuites(“SSL_RSA_WITH_NULL_MD5”,
“SSL_RSA_WITH_NULL_SHA”, “SSL_RSA_EXPORT_WITH_RC4_40_MD5”,
“SSL_RSA_WITH_RC4_128_MD5”, “SSL_RSA_WITH_RC4_128_SHA”,
“SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5”,
“SSL_RSA_WITH_IDEA_CBC_SHA”,
“SSL_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_RSA_WITH_DES_CBC_SHA”, “SSL_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DH_DSS_WITH_DES_CBC_SHA”,
“SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA”,
“SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DH_RSA_WITH_DES_CBC_SHA”,
“SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DHE_DSS_WITH_DES_CBC_SHA”,
“SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA”,
“SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DHE_RSA_WITH_DES_CBC_SHA”,
“SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA”,
“SSL_DH_anon_EXPORT_WITH_RC4_40_MD5”,
“SSL_DH_anon_WITH_RC4_128_MD5”,
“SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA”,
“SSL_DH_anon_WITH_DES_CBC_SHA”,
“SSL_DH_anon_WITH_3DES_EDE_CBC_SHA”,
“SSL_FORTEZZA_KEA_WITH_NULL_SHA”,
“SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA”,
“SSL_FORTEZZA_KEA_WITH_RC4_128_SHA”,
“SSL_DHE_RSA_WITH_AES_128_CBC_SHA”,
“SSL_RSA_WITH_AES_128_CBC_SHA”);

-For securing Tomcat 7 follow the following steps

http://wiki.apache.org/tomcat/Security/POODLE

-For protecting .NET WCF or client HTTPS invocatons endpoints by forcing them to use TLS always. Set it globally for each AppDomain via the System.Net.ServicePointManager.SecurityProtocol property when the application starts up.

 

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

-Disabling SSLv3 on IIS7/8

http://support.microsoft.com/kb/187498

http://support.microsoft.com/kb/245030

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: