CVE-2014-3566 or "POODLE" SSLv3 security bug - Zend Server

Follow

Synopsis

In order to protect against the recently discovered POODLE vulnerability, we recommend that all users of Zend Server disable SSLv3 support on any SSL-enabled service they may be running.

For convenience, we’re including instructions on how to disable SSLv3 on several different relevant Web Servers.

 

Actions Required

Apache (Linux, Windows)

OS

Typical Config File Location

Debian/Ubuntu

/etc/apache2/mods-available/ssl.conf

RHEL/CentOS/OEL

/etc/httpd/conf.d/ssl.conf

Windows

C:\Program Files (x86)\Zend\Apache2\conf\zend.conf

IBM i

The SSL Protocol in IBMi is controlled by system value QSSLPCL. Starting with 7.1 the SSL Protocol can be configured from the enhanced Digital Certificate Manager (DCM) application definition support. To locate this support, select ‘Manage Applications’ and then ‘Update application definition’ from the left hand panel in DCM. Once the application to update has been selected, the ‘Update Application Definition’ panel will display the new fields that can be updated. Use these fields to control both the ciphers and protocols used by the application.

 

Once found, search for a line containing the ‘SSLProtocol’ directive and add ‘-SSLv3’ at the end of of it, e.g.:

SSLProtocol All -SSLv2 -SSLv3

Restart the service (from the Zend Server UI or using Apache’s control scripts/utility).

 

Lighttpd (Linux only)

Lighttpd is used as the backend web server for the Zend Server UI.

The relevant configuration file is located at /usr/local/zend/gui/lighttpd/etc/lighttpd.conf

Locate the section that defines the service for port 10082, and add the ‘ssl.use-sslv3 = “disable”’ statement to it, e.g.:

$SERVER["socket"] == ":10082"  {

    ssl.engine = "enable"

+  ssl.use-sslv3 = "disable"

    ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

    ssl.pemfile="ZCE_PREFIX/etc/tls/certs/lighttpd.pem"

  }

Restart the service by running ‘/usr/local/zend/bin/lighttpdctrl.sh restart’

 

NGINX

Out of the box configuration does not enforce any SSL Protocols, so it is required to do so.

1. Start by looking for configuration lines holding 'ssl_protocol':

# grep ssl_protocols /etc/nginx -r | grep -v :#

Note: The last grep part drops commented lines from results.

2. If you located 'ssl_protocol' directive in any configuration file, verify it is not including SSLv3. If modification is needed, backup the configuration file, edit and remove SSLv3 from the ssl_protocols, then save the configuration file.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

3. If you did not locate any lines with 'ssl_protocols', you should insert one.

Perform these steps to drop SSLv3 support on all sites.

* Backup NginX main conf file:

# cp /etc/nginx/nginx.conf{,-back}

* Edit NginX conf:

# vi /etc/nginx/nginx.conf

* Insert new line below the line with 'http {', and copy ssl_protocols to it:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

___

4. After any change in configuration files, restart NginX (using zendctl.sh or nginx service control script).

Microsoft IIS

Follow Microsoft’s official instructions at http://support2.microsoft.com/kb/187498/en-us

 

Testing the change of configuration

If you have the openssl utility, you can ensure that that you’ve successfully disabled SSLv3 support by running the following commands on the server.  

# openssl s_client -connect localhost:443 -ssl3

# openssl s_client -connect localhost:10082 -ssl3

They should both produce an error if you’ve successfully disabled SSLv3: “sslv3 alert handshake failure”.

We are about to supply soon a new PHP 5.4 for ZS7.0 with security fixes. This should include the change of configuration on the Lighttpd that is bundled with Zend Server

-------------------------

Future releases of Zend Server (starting with 8.0GA) will disable SSLv3 by default.

 

PHP Client Code

Also, make sure all your PHP CURL code does not have this (comment anything like these out of your sources for dropping out SSLv3):

CURLOPT_SSLVERSION => 3
curl_setopt($ch, CURLOPT_SSLVERSION, 3);

 

-------------------------

Useful Links:

https://raymii.org/s/articles/Check_servers_for_the_Poodle_bug.html
http://www.skytale.net/blog/archives/22-SSL-cipher-setting.html
https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
The 2nd guide has links to Apache and NginX config as well.

Internal BUG: ZSRV-13940

 

Have more questions? Submit a request

Comments

  • Avatar
    Rob Starr

    We're running Zend Server 6.3 and the Job Queue is failing to connect without SSLv3 when zend_jobqueue.enable_https=1 in jqd.ini.

    The error msg in log/jqd.log => "Job 679071 failed. Bad HTTP response 0: SSL handshake failed".

    Can you confirm the Job Queue works with TLSv1+ or advise as to how we should proceed?

  • Avatar
    Zvika Dror

    HTTPS support started out as experimental and through later versions we dropped the old HTTP embedded client and created a new one from scratch.
    I can confirm that ZS 8.0.2 can run HTTPS jobs with TLS (on target SSL vhost not accepting SSLv2 and SSLv3).

Powered by Zendesk