How to test Poodle fix for TIBCO Runtime Agent and TIBCO Administrator.

How to test Poodle fix for TIBCO Runtime Agent and TIBCO Administrator.

book

Article ID: KB0093081

calendar_today

Updated On:

Products Versions
TIBCO Runtime Agent (TRA) -
Not Applicable -

Description

Description:

Impact of  Poodle Vulnerability :


All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. 


How it impacts TRA and Admin :


Admin Server enabled SSL will be vulnerable if poodle hotfix released in TRA is not applied.



Issue/Introduction

How to test Poodle fix for TIBCO Runtime Agent and TIBCO Administrator.

Resolution

Solution: 


TRA Engineering has released Poodle Fixes for TRA 5.9.0 , TRA 5.8.0 and TRA 5.7.4 customers, information can be found in LBN:42079. These HF were released to remove support for SSLv3 protocol and only support TLS 1.0 and higher


How to test  Poodle Hotfix :


1. Say Your Admin service is running on https://<HOST IP>:8443.


 e.g https://10.108.114.104:8443

 

2. Execute the following command on Linux system where OpenSSL is installed or you can install OpenSSL on Windows.

 

 openssl s_client -ssl3  -connect 10.108.114.104:8443


3. When used with SSL3 you should see "Secure Renegotiation IS NOT supported".


[root@1paspdocco65a1 ~]# openssl s_client -ssl3 -connect10.108.114.104:8443

CONNECTED(00000003)

140136666437448:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40

140136666437448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 0 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : SSLv3

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1418254326

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

 



When used with TLS1 you should see "Secure Renegotiation IS supported" which is expected.


[root@1paspdocco65a1 ~]# openssl s_client -tls1 -connect10.108.114.104:8443


CONNECTED(00000003)

depth=0 CN = tibco.test.com, C = US, ST = california, L = palo alto, O = tibco, OU = test, emailAddress = hchapara@tibco.com

verify error:num=18:self signed certificate

verify return:1

depth=0 CN = tibco.test.com, C = US, ST = california, L = palo alto, O = tibco, OU = test, emailAddress = hchapara@tibco.com

verify return:1

---

Certificate chain

 0 s:/CN=tibco.test.com/C=US/ST=california/L=palo alto/O=tibco/OU=test/emailAddress=hchapara@tibco.com

   i:/CN=tibco.test.com/C=US/ST=california/L=palo alto/O=tibco/OU=test/emailAddress=hchapara@tibco.com

---

Server certificate

-----BEGIN CERTIFICATE-----

MIID/DCCAuSgAwIBAgIDAJ4JMA0GCSqGSIb3DQEBCwUAMIGRMRcwFQYDVQQDEw50

aWJjby50ZXN0LmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWEx

EjAQBgNVBAcTCXBhbG8gYWx0bzEOMAwGA1UEChMFdGliY28xDTALBgNVBAsTBHRl

c3QxITAfBgkqhkiG9w0BCQEWEmhjaGFwYXJhQHRpYmNvLmNvbTAeFw0xNDA3MTUy

MDA2MjhaFw0xNjA3MTQyMDA2MjhaMIGRMRcwFQYDVQQDEw50aWJjby50ZXN0LmNv

bTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCmNhbGlmb3JuaWExEjAQBgNVBAcTCXBh

bG8gYWx0bzEOMAwGA1UEChMFdGliY28xDTALBgNVBAsTBHRlc3QxITAfBgkqhkiG

9w0BCQEWEmhjaGFwYXJhQHRpYmNvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP

ADCCAQoCggEBAKbf6pj5CmUQwC5mj/ArTk8o3p6MtN/tceJRrDdhPGCiN7+mLFSq

XibaoXMwKcfz0s3XMyw3wRfMlyfIVQgOthWvnt5iy8HowPm3jGPVJyK80W3wxC3z

m8jLp67LqBMl6kWVwALndbuTzrrPLdACyrzBtJTf86tZxUBHmikMrN8LBjFHKYOq

YKq9b3XzGPOlPknGJjKXSzKz8PJgbQft7nixl/aHi9W9o35oKu35lD7q5vbDiCzC

Ln5l/RSLba0Ao15d8VD6ES25qBT33LAFbqogj+kryEMxz/cfjb2JhOoc16eAbpdj

OgEi+aaO7/8z3DY5AXVdPnqEcreM9nZKsEMCAwEAAaNbMFkwDgYDVR0PAQH/BAQD

AgH2MAkGA1UdEwQCMAAwHQYDVR0RBBYwFIESaGNoYXBhcmFAdGliY28uY29tMB0G

A1UdDgQWBBT6QjuwK/O9/KTxBzyv/hWgPEiLTzANBgkqhkiG9w0BAQsFAAOCAQEA

G2y/6cb4ODihxI/cTziZNfy2eeMGPSeKHy0RH+HLPhSP3KgBxRkiWbDdlnJL7tfr

CuUF7f7PSv1O7/ovnnVzmrkRPjV+OPsZ5XER06Xo2XHZAQbITvHZ7iVyxaYrna9c

bPlUsxMLG0Q9tdENBiHS9IXgwBsI8W0qZx4E1aF5WuL7TCUvYlvDOfoR2zBUa+A+

/19QVz2XF0v6SiMZiGzNePA4ihsJ0TcoxfsofNsv1kYYaemZOHF1bwivk+6eX43X

/3OyFHFoH+nmvkUxnkrc69ZDJQqytlO9J8Op3r0VrTIaIDMnWsrh/srwI4NUL2R8

QkamzjsjnIJXY8BBfy4hpQ==

-----END CERTIFICATE-----

subject=/CN=tibco.test.com/C=US/ST=california/L=palo alto/O=tibco/OU=test/emailAddress=hchapara@tibco.com

issuer=/CN=tibco.test.com/C=US/ST=california/L=palo alto/O=tibco/OU=test/emailAddress=hchapara@tibco.com

---

No client certificate CA names sent

---

SSL handshake has read 1811 bytes and written 359 bytes

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID: 026DF6C349BF38BE004407B74A0AF7CF

    Session-ID-ctx:

    Master-Key: E835537CCFD76ACF538993734BB88BBBE8A7C87750239A03D509FDF842EF9AE248F75107274EE51DD3744AC643BAEE2E

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1418256850

    Timeout   : 7200 (sec)

    Verify return code: 18 (self signed certificate)

---

closed


 

Additional Information

LBN:42079
Powered by Wolken Software