Remove SSLv2 and SSLv3 from valid cipher suites

Need help? Post your questions here.
HasiPopasi
Posts: 10
Joined: 29 Nov 2013, 19:24
Has thanked: 1 time
Been thanked: 1 time

Remove SSLv2 and SSLv3 from valid cipher suites

Unread post by HasiPopasi »

Hi all,

in the light of the latest developments about the security of SSL encryption it would be time to remove the insecure cipher algorithms SSLv2Hello and SSLv3 from the list of valid cipher suites. Madsonic provides them as in the log file statet :

Code: Select all

oejus.SslContextFactory:Enabled Protocols [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
Question : How do I disable SSLv2Hello and SSLv3? I can't find a setting for this and Madsonic seems to use an embedded version of Jetty without any possibility to change this server setting for the user.
These users thanked the author HasiPopasi for the post:
Madsonic
Rating: 7.69%
User avatar
DoCC
Contributor
Contributor
Posts: 211
Joined: 25 Feb 2014, 14:41
Has thanked: 40 times
Been thanked: 65 times

Re: Remove SSLv2 and SSLv3 from valid cipher suites

Unread post by DoCC »

the smoothest way to use your own selected ssl features ,
try running madsonic on localhost with nonssl
and setup a apache proxy server with ssl support.
this will do the trick very well. and you can create you own certs : )
ootuoyetahi
Posts: 2
Joined: 28 Jan 2014, 18:21
Has thanked: 0
Been thanked: 1 time

Re: Remove SSLv2 and SSLv3 from valid cipher suites

Unread post by ootuoyetahi »

HasiPopasi wrote:Hi all,

in the light of the latest developments about the security of SSL encryption it would be time to remove the insecure cipher algorithms SSLv2Hello and SSLv3 from the list of valid cipher suites. Madsonic provides them as in the log file statet :

Code: Select all

oejus.SslContextFactory:Enabled Protocols [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
Question : How do I disable SSLv2Hello and SSLv3? I can't find a setting for this and Madsonic seems to use an embedded version of Jetty without any possibility to change this server setting for the user.
Were you ever able to figure out how to disable sslv3?
User avatar
Madsonic
Administrator
Administrator
Posts: 984
Joined: 07 Dec 2012, 03:58
Answers: 7
Has thanked: 1201 times
Been thanked: 470 times

Re: Remove SSLv2 and SSLv3 from valid cipher suites

Unread post by Madsonic »

Hi there,

i'll change your security suggestion :thumbsup:

Code: Select all

            if (isHttpsEnabled()) {
                SslSocketConnector sslConnector = new SslSocketConnector();
                SslContextFactory sslContextFactory = sslConnector.getSslContextFactory();
                sslContextFactory = sslConnector.getSslContextFactory();
                sslContextFactory.setExcludeCipherSuites(
                        new String[] {
                            "SSL_RSA_WITH_DES_CBC_SHA",
                            "SSL_DHE_RSA_WITH_DES_CBC_SHA",
                            "SSL_DHE_DSS_WITH_DES_CBC_SHA",
                            "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                            "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
                            "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
                            "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
                        });
                sslContextFactory.addExcludeProtocols(new String[]{"SSLv3","SSLv2Hello"});
                ...
            }
result:

Code: Select all

2015-05-06 09:46:07.497:INFO:oejus.SslContextFactory:Enabled Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
https://github.com/MadMarty/madsonic-se ... 58f339a755
Post Reply