[ https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14198596#comment-14198596 ]
Jacques Le Roux commented on OFBIZ-5848: ---------------------------------------- For those that are interested by this vulnerability here are 2 references for browser and server sides: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers https://wiki.mozilla.org/Security/Server_Side_TLS In trunk and releases branches I forced the protocol to TLS 1.2. This is a moot point (we could use TLS 1.0). Good to know: most web browsers support TLS 1.0 (not enabled by default in Internet Explorer 6). Browsers that by default support the latest TLS 1.2 version are: * Google Chrome 30+ * Mozilla Firefox 27+ * Microsoft Internet Explorer 11+ * Opera 17+ * Apple Safari 7+ But time will quickly pass, with modern browsers updated online. So since I was forced to force a protocol version I picked the last one. Also because my tests with nmap were clear/sure with TLS 1.1/2 but not TLS 1.0. > Poodle-disable sslv3 > -------------------- > > Key: OFBIZ-5848 > URL: https://issues.apache.org/jira/browse/OFBIZ-5848 > Project: OFBiz > Issue Type: Bug > Affects Versions: Trunk > Environment: unix > Reporter: Hrc Boston > Assignee: Jacques Le Roux > Priority: Critical > Labels: patch, security > Fix For: Upcoming Branch, 12.04.06, 13.07.02 > > > Hi there-- > This topic seemed relevant because it is a major security issue that recently > came up and will affect many ecommerce sites for ofbiz. > I am in process of trying to disable sslv3 on our version of of > ofbiz 09-04, which uses tomcat 6. > This is to eliminate the security vulnerability from poodle bleed. > http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed > We have tried updating the of ofbiz-containers.xml file like below, but it > did not disable sslv3. Poodle is still there. > I have also seen fixes that update server.xml with something similar. > <property name="sslProtocol" value="TLS"/> > <property name="sslEnabledProtocols" value="TLSv1"/> > Has anyone else had luck fixing the poodle issue on Apache ofbiz version > 09-04? > Or in any of biz products… where is the best place to fix this in of biz?? > Thanks! > The Poodle fixer :) -- This message was sent by Atlassian JIRA (v6.3.4#6332)