How to enable SSLv3 for backward compatibility after applying POODLE vulnerability fix.

How to enable SSLv3 for backward compatibility after applying POODLE vulnerability fix.

book

Article ID: KB0093788

calendar_today

Updated On:

Products Versions
TIBCO Runtime Agent (TRA) 5.8.0 ,5.9.0,5.9.1,5.10.0
Not Applicable -

Description

Description:

POODLE vulnerability fix is to disable SSLv3 which is now obsolete and should no longer be used. After applying the TIBCO Runtime Agent (TRA) hotfix to address the Poodle vulnerability (CVE-2014-3566 ) refer LBN :000028059 , some customers have requirements to enable SSLv3 protocols for backward compatibility with clients that only support SSLv3.

Resolution

 

NOTE: It should be noted that SSLv3 is obsolete and should no longer be used. TIBCO recommends permanently disabling SSLv3. It is recommended to use only TLSv1.2 and TLSv1.1.
 
For backward compatibility with software that supports only SSLv3, one can enable the SSLv3 protocol by setting the system-wide properties for client-side and server-side connections in the .tra file:
 
============================
java.property.com.tibco.security.ssl.client.EnableSSLv3=true
java.property.com.tibco.security.ssl.server.EnableSSLv3=true
============================
 
Note
  • If you are using TRA which bundles JDK 7u75 (1.7.0.76)  and higher patch or JDK 8u31 (1.8.0.31)  and higher patch , then SSLv3 is disabled by default. 
If you want ti re-enable SSLv3.0 on either 8u31, 7u75  all you have to do is remove out the following line in JRE_HOME/lib/security/java.security: 
  jdk.tls.disabledAlgorithms=SSLv3
 
 
Solution 1:
You will have to manually remove SSLv3 from the property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security.
 
============================
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 
============================
 
============================
SSLv3 is disabled by default,
 
Starting with the JDK 7u75 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security file.
 

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from thejdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

============================

 

Solution 2: If you want to make the change only at the application level then create a copy of the file java.security as my.java.security and enable(means remove ) the SSLv3 in the file.

 

 Now, add below param in the application tra file:

 

-Djava.security.properties=my.java.security in application tra extended property

-----------------------------------------------------

 

java.extended.properties=-Djava.security.properties=<PATH_TO>/my.java.security 

-----------------------------------------------------

NOTE:Please take back up of the files before making any changes.

Issue/Introduction

How to enable SSLv3 for backward compatibility after applying POODLE vulnerability fix.

Additional Information

LBN :42079 ,http://www.oracle.com/technetwork/java/javase/7u76-relnotes-2389087.html
 
CVE-2014-3566 : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566CVE-2014-3566
Powered by Wolken Software