POODLE SSL Vulnerability and OpenDJ
The purpose of this article is to provide assistance on avoiding the POODLE SSL vulnerability in OpenDJ.
Archived
This article has been archived and is no longer maintained by ForgeRock.
POODLE vulnerability
The POODLE vulnerability is a design defect in the SSL protocol that affects all SSL implementations. It is described by its discoverers in a detailed PDF document. More formally, it is CVE-2014-3566.
It is possible to prevent the attack by configuring the server to not allow any SSLv3 connections.
Caution
Disabling SSLv3 may prevent very old legacy client applications from working.
Because OpenDJ uses the Java® Virtual Machine's SSL implementation, it is possible to prevent the use of SSLv3 by editing the JVM's deployment.properties file (consult the JVM documentation for details), or by passing -Ddeployment.security.SSLv3=false to OpenDJ on startup using OpenDJ's java.properties file. This article will discuss the third alternative, namely reconfiguring OpenDJ itself; this is the recommended approach.
SSLv3 is disabled by default in JDK 8 u31.
Reconfiguring OpenDJ
You must reconfigure the following settings:
- The LDAPS Connection Handler if it is being used - this deals with LDAP over SSL/TLS;
- The LDAP Connection Handler if StartTLS is being used to negotiate SSL/TLS over a normal LDAP connection;
- The HTTP Connection Handler if it is being used - this provides a RESTful API onto the directory;
- The Administration Connector, which uses LDAPS;
- The Crypto Manager, which affects replication and LDAP Pass Through Authentication.
Note
These changes take immediate effect, but will only impact new connections.
LDAPS / LDAP / HTTP Connection Handlers
To update the LDAPS Connection Handler, do the following using the dsconfig command:
$ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-connection-handler-prop --handler-name "LDAPS Connection Handler" --add ssl-protocol:TLSv1 --add ssl-protocol:TLSv1.1 --add ssl-protocol:TLSv1.2 --trustAll --no-promptThis command updates the LDAPS Connection Handler with the SSL protocols; an updated config.ldif for this section looks similar to this:
dn: cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config ... ... ... ds-cfg-ssl-protocol: TLSv1 ds-cfg-ssl-protocol: TLSv1.1 ds-cfg-ssl-protocol: TLSv1.2The procedure is similar for updating the LDAP Connection Handler and the HTTP Connection Handler, except for the --handler-name parameter.
Administration Connector
To update the Administration Connector, do the following:
$ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-administration-connector-prop --add ssl-protocol:TLSv1 --add ssl-protocol:TLSv1.1 --add ssl-protocol:TLSv1.2 --trustAll --no-promptThis command updates the Administration Connector with the SSL protocols; an updated config.ldif for this section looks similar to this:
dn: cn=Administration Connector,cn=config ... ... ... ds-cfg-ssl-protocol: TLSv1 ds-cfg-ssl-protocol: TLSv1.1 ds-cfg-ssl-protocol: TLSv1.2Crypto Manager
To update the Crypto Manager, do the following:
$ ./dsconfig --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password set-crypto-manager-prop --add ssl-protocol:TLSv1 --add ssl-protocol:TLSv1.1 --add ssl-protocol:TLSv1.2 --trustAll --no-promptThis command updates the Crypto Manager with the SSL protocols; an updated config.ldif for this section looks similar to this:
dn: cn=Crypto Manager,cn=config ... ... ... ds-cfg-ssl-protocol: TLSv1 ds-cfg-ssl-protocol: TLSv1.1 ds-cfg-ssl-protocol: TLSv1.2See Also
FREAK SSL/TLS Vulnerability and OpenDJ
How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?
How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?
This POODLE Bites: Exploiting The SSL 3.0 Fallback (PDF)
Related Training
N/A
Related Issue Tracker IDs
N/A