ssl vulnerability

Hi server admins,

Google today published a vulnerability in SSL which could allow an attacker to decrypt “secure” connections:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

For a dhis system the most practical solution is to simply disable SSL and rely on TLS, as it’s mostly Internet Explorer 6 that does not support TLS, and DHIS 2 does not support IE 6 anyway.

I have upgraded the nginx installation docs here. To disable SSL and add support for all TLS version you can change this line:

ssl_protocols  SSLv3 TLSv1.1 TLSv1.2;

to this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

regards,

Lars

If you’re running apache
The fix is to update the following line in your SSL config usually in /etc/httpd/conf.d/ssl.conf

SSLProtocol all -SSLv2 -SSLv3

Dan Cocos
BAO Systemswww.baosystems.com

T: +1 202-352-2671 | skype: dancocos

···

On Oct 15, 2014, at 1:03 PM, Lars Helge Øverland larshelge@gmail.com wrote:

Hi server admins,

Google today published a vulnerability in SSL which could allow an attacker to decrypt “secure” connections:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

For a dhis system the most practical solution is to simply disable SSL and rely on TLS, as it’s mostly Internet Explorer 6 that does not support TLS, and DHIS 2 does not support IE 6 anyway.

I have upgraded the nginx installation docs here. To disable SSL and add support for all TLS version you can change this line:

ssl_protocols  SSLv3 TLSv1.1 TLSv1.2;

to this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

regards,

Lars


Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

You can check if you re safe using this free tool : https://www.tinfoilsecurity.com/poodle

regards,

···

On Wed, Oct 15, 2014 at 7:11 PM, Dan dan@dancocos.com wrote:

If you’re running apache
The fix is to update the following line in your SSL config usually in /etc/httpd/conf.d/ssl.conf

SSLProtocol all -SSLv2 -SSLv3

Dan Cocos
BAO Systemswww.baosystems.com

T: +1 202-352-2671 | skype: dancocos

On Oct 15, 2014, at 1:03 PM, Lars Helge Øverland larshelge@gmail.com wrote:

Hi server admins,

Google today published a vulnerability in SSL which could allow an attacker to decrypt “secure” connections:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

For a dhis system the most practical solution is to simply disable SSL and rely on TLS, as it’s mostly Internet Explorer 6 that does not support TLS, and DHIS 2 does not support IE 6 anyway.

I have upgraded the nginx installation docs here. To disable SSL and add support for all TLS version you can change this line:

ssl_protocols  SSLv3 TLSv1.1 TLSv1.2;

to this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

regards,

Lars


Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp