We're updating the issue view to help you get more done. 

Disable SSLv3 by default as per POODLE vulnerability

Description

Need to disable SSLv3 where ever necessary as per POODLE vulnerability

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Florian Buchmeier
December 15, 2014, 5:12 PM
Edited

Hi,

While browsing the source code of Openfire I found only two occurences of "SslContextFactory"

  • src/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java

  • src/java/org/jivesoftware/openfire/http/HttpBindManager.java

The default ports for these services are 7433 (HTTP Bind) and 9091 (Admin Console).

But what about client connections on port 5222 using STARTTLS, do they support SSLv3 as well?

A connection test using a patched version of OpenSSL (see https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest) tells me that SSLv3 is enabled for Client connections on my server. (the used command is: ./openssl s_client -connect myopenfireserver:5222 -ssl3 -starttls xmpp)

akrherz's patch adresses only the first two problems. (https://github.com/akrherz/Openfire/commit/83e03fe549be1f17618c8c39cf70757be09dcd3a)

Can you verify this behaviour and is it relevant?

Thank you very much,

Florian.

wroot
December 15, 2014, 6:02 PM

Such questions should be directed to the linked forums thread. There is a comment about forcing TLS only connection for clients. You should check then if it reports SSLv3 still being used.

Neustradamus
December 15, 2014, 10:20 PM
Edited

I see "HTTP Bind".
The http/https BOSH port is the 5280: http://www.xmpp.org/extensions/xep-0124.html

I have created a ticket in the past about BOSH: #OF-626.

Assignee

Dave Cridland

Reporter

Daryl Herzmann

Labels

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure