[jira] [Commented] (OFBIZ-5848) Poodle-disable sslv3

Thu, 13 Nov 2014 07:36:17 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14209911#comment-14209911
 ] 

Jacopo Cappellato commented on OFBIZ-5848:
------------------------------------------

Thanks for the report Jacques.
This is really a pain and it is probably happening because the tests we wrote 
are wrong: they assume a specific order of execution in the tests (which is not 
guaranteed and can change with the JVM being used).
In this specific case, there was one test executed before the one that created 
3 records in the entity "Testing" of type "TEST-COUNT-VIEW" and didn't remove 
them.
I am going to commit a fix (for the test) soon.

> Poodle-disable sslv3
> --------------------
>
>                 Key: OFBIZ-5848
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-5848
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: Trunk
>         Environment: unix
>            Reporter: Poodle Fixer
>            Assignee: Jacques Le Roux
>            Priority: Critical
>              Labels: patch, security
>             Fix For: Upcoming Branch, 12.04.06, 13.07.02
>
>         Attachments: OFBIZ-5848-java17-12.04.patch, 
> OFBIZ-5848-java17-12.04.patch
>
>
> {panel:title= WARNING ABOUT THE FIX|bgColor=red}
> *We will certainly have to evolve this in the future because this correction 
> forces the protocol to TLSv1.2*
> {panel}
> [~jacques.le.roux]: I have put a reminder for myself to follow the status of 
> the Poodle issue in Tomcat
> ----
> Hi there-- 
> This topic seemed relevant because it is a major security issue that recently 
> came up and will affect many ecommerce sites for ofbiz. 
> I am in process of trying to disable sslv3 on our version of of 
> ofbiz uses tomcat 6. 
> This is to eliminate the security vulnerability from poodle bleed. 
> http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
> We have tried updating the of ofbiz-containers.xml file like below, but it 
> did not disable sslv3. Poodle is still there. 
> I have also seen fixes that update server.xml with something similar. 
> <property name="sslProtocol" value="TLS"/>  
> <property name="sslEnabledProtocols" value="TLSv1"/>  
> Has anyone else had luck fixing the poodle issue on Apache ofbiz? 
> Or in any of biz products… where is the best place to fix this in of biz??
> Thanks! 
> The Poodle fixer :)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to