Posted Thu, 01 Jan 2015 06:00:00 GMT by Portal Admin

InterMapper 5.8.2 will update OpenSSL and allow for custom configuration.  

Upgrading the OpenSSL library for the next release will include the ability to disable the SSLv3 protocol.

"A single configuration file will be used to affect all SSL-based servers, collectively (IM web, IM kali server, IMDC web). Users will be able to specify which protocols are supported, which ciphers are supported, and disable other potentially vulnerable SSL features such as client-initiated session renegotiation."

To disable TLSv1.0 in favour of the later TLS protocol versions only.

Our Java clients currently request SSLv3/TLSv1.0 connections. This is because Java 7 only enables SSLv3, TLSv1.0 protocols by default for the "SSL" context. (Java 8 enables those plus TLSv1.1 and TLSv1.2.)

For maximum compatibility, customers should leave TLSv1.0 enabled in ssl.conf. The following is for those that really, really, (really) want to disable it.

It is possible to enable the newer TLS protocols by explicitly using "TLSv1.1" or "TLSv1.2" SSL contexts. This appears to work on Oracle and OpenJDK Java 7 VMs. So, I've allowed the SSL context name to be overridden using the Java system property com.helpsystems.net.SSLContextName. For example:

 /usr/local/bin/intermapper -Dcom.helpsystems.net.SSLContextName="TLSv1.2"

./intermapper_remoteaccess.sh -Dcom.helpsystems.net.SSLContextName="TLSv1.2"

This works with ssl.conf with Protocols set to "TLSv1.1:TLSv1.2". (Remember to restart both IM server and IMDC after changing ssl.conf.)

Note that no client (Java UI, switches, IMDC) earlier than 5.8.2 will support TLSv1.1 or TLSv1.2, and connection attempts for such a configuration will fail with the following in the IM server log, due to a TLSv1.0 connection being attempted: 14:57:44 SSLError(1) - 336027900 (Unknown reason) = error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (Java UI refuses to connect with a "Connection reset" box under these conditions, without the context name override.)

You should still be able to connect to older IM server versions even with the SSLContextName override set, as both "TLSv1.1" and "TLSv1.2" contexts also enable TLSv1.0. The server will select the highest available protocol in common with the client (taking also the cipher specification into account).

You must be signed in to post in this forum.