Solutions

PVCS Version Manager - How to disable SSLv3 and optionally also TLSv1.0 and TLSv1.1, or how to exclusively use TLSv1.2



ID:    S141117
Published:    13 April 2015
Updated:    23 July 2021

Operating System(s)

  • All Unix
  • All Windows

Product(s)

  • PVCS Version Manager
 

Description

This documents deals with two security vulnerabilities:
 
  • POODLE (Padding Oracle On Downgraded Legacy Encryption)

    This is the result of a flaw in the SSL 3.0 protocol, and the specific attack may allow a man-in-the-middle to intercept parts of SSL-encrypted communications. Can be mitigated by forbidding SSL3 protocol for HTTPS connections.
     
  • BEAST (Browser Exploit Against SSL/TLS)

    This leverages weaknesses in cipher block chaining to exploit the SSL protocol. Can be mitigated by forbidding TLSv1 (TLSv1.0) protocol for HTTPS connections.

Both vulnerabilities have the potential to affect any SSL-encrypted communications, and thus communication with PVCS Version Manager over HTTPS is affected. To resolve both vulnerabilities, SSL 3.0 and TLSv1 protocols should be forbidden for all connections. To migitage Poodle and Beast, using only the TLSv1.1 and TLSv1.2 protocols is recommended. Weaknesses that were since discovered in TLSv1.1 may make it preferable to exclusively use TLSv1.2.

For customers to make sure their installations are secure there are mitigation steps they can take to secure the Tomcat instance running the Serena VM Web Application Server.
 
Vulnerability Description

This section gives a high level description of the attack. For a detailed write-up of the specifics refer to https://www.openssl.org/~bodo/ssl-poodle.pdf.

When clients initiate a secure connection to a server there is a negotiation step involved where they agree on a protocol to use and potentially an encryption algorithm as well. Most connections between modern clients and servers use TLS instead of the outdated SSL. However, in the name of backward compatibility, both clients and servers allow for protocol downgrade for maximum interoperability. Usually this protocol downgrade steps down from TLS to SSL.

SSL 3.0 has been shown to have several vulnerabilities with different ciphers and this vulnerability means there are no secure ciphers left for this protocol. The end result of this is man-in-the-middle attacks have the potential ability to decrypt information such as secure cookies in web traffic.

For this to work with regard to PVCS VM a user would have to connect via a compromised network or hit a malicious PVCS VM server or web site that will forward network requests to a server that will modify the data. If the modification is accepted the attacker can decrypt a portion of this modified secured data. Even if both server and client support newer standards the attacker can trigger the protocol downgrade mentioned above to use SSL 3.0.

Resolution

Mitigation Steps for PVCS VM

With this being a protocol bug instead of a product bug the mitigation step is to remove the usage of this protocol from our web server. This means if you are using HTTPS to connect to the Serena VM Web Application Server, its Tomcat instance will needs to be reconfigured to disallow SSL 3.0 connections (POODLE) as well as TLSv1 (BEAST).

Following are instructions for doing this. These instructions apply to the Tomcat 7 server that is shipped with Version Manager 8.4.4 and later.

Serena VM Web Application Server Tomcat Configuration Steps
 
  • VM 8.6.2 - 8.6.3 (Tomcat 8.5 + Java 8) +
    VM 8.6.0 - 8.6.1 (Tomcat 7 + Java 8) +
    VM 8.5.3 (Tomcat 7 + Java 7)

    The POODLE vulnerability is mitigated by default because these VM releases only enable the protocols TLSv1.2, TLSv1.1, TLSv1.0 and SSLv2Hello.

    To mitigate BEAST, the TLSv1.0 and SSLv2Hello pseudo-protocol need to be disabled. Optionally the TLSv1.1 can be disabled as well, leaving just TLSv1.2.
      
    1. Edit file the Tomcat server.xml located at VM_Install_Dir\vm\common\tomcat\conf\server.xml
       
    2. For each defined <Connector> element for HTTPS, locate the directive:
       
      sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"

      To mitigate both POODLE and BEAST, change this to :

      sslEnabledProtocols="TLSv1.2,TLSv1.1"

      WARNING: TLSv1,SSLv2Hello is needed by VM File Server clients prior to VM 8.6 to connect to the File Server via HTTPS. Enabling BEAST mitigation will prevent these clients from connecting, so ensure all clients are running 8.6.0 or newer.

      To also disable TLSv1.1, leaving just TLSv1.2, change it to:

      sslEnabledProtocols="TLSv1.2"

      Example from VM 8.6.3:

      Before:
          <Connector
            port="8443"
            protocol="org.apache.coyote.http11.Http11NioProtocol"
            minSpareThreads="5"
            enableLookups="true"
            disableUploadTimeout="true"
            maxPostSize="31457280"
            acceptCount="100"
            maxThreads="200"
            scheme="https"
            secure="true"
            SSLEnabled="true"
            sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
            keystoreFile="$/conf/serena.keystore"
            keystorePass="serena"
            clientAuth="false"
            sslProtocol="TLS"
            URIEncoding="UTF-8"
          />
       
      After:

          <Connector
            port="8443"
            protocol="org.apache.coyote.http11.Http11NioProtocol"
            minSpareThreads="5"
            enableLookups="true"
            disableUploadTimeout="true"
            maxPostSize="31457280"
            acceptCount="100"
            maxThreads="200"
            scheme="https"
            secure="true"
            SSLEnabled="true"
            sslEnabledProtocols="TLSv1.2"
            keystoreFile="$/conf/serena.keystore"
            keystorePass="serena"
            clientAuth="false"
            sslProtocol="TLS"
            URIEncoding="UTF-8"
          />
       
    3. Restart the PVCS Version Manager Web Application Server service or application. (For VM 8.5.3 and 8.6.0, this was still called the Serena VM Web Application Server.)
       
  • VM 8.5.0 - 8.5.2 (Tomcat 7 + Java 7):
     
    1. Edit file the Tomcat server.xml located at VM_Install_Dir\vm\common\tomcat\conf\server.xml
       
    2. For each defined <Connector> element for HTTPS with clientAuth="false", add the following attribute to only mitigate POODLE:
       
      sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"

      To mitigate both POODLE and BEAST, use the following attribute instead:

      sslEnabledProtocols="TLSv1.2,TLSv1.1"

      WARNING: TLSv1,SSLv2Hello is needed by VM File Server clients prior to VM 8.6 to connect to the File Server via HTTPS. Enabling BEAST mitigation will prevent these clients from connecting, so ensure all clients are running 8.6.0 or newer.

      If you would like to disable TLSv1.1 as well, leaving just TLSv1.2, use:

      sslEnabledProtocols="TLSv1.2"

      (This is not part of the following example.)

      For the <Connector> element for HTTPS with clientAuth="true", add the following attribute:
       
      sslEnabledProtocols="TLSv1.2,TLSv1.1"

      Before:

              <Connector port="8443" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"                  
                         truststorePass="serena"
                         clientAuth="false" sslProtocol="TLS"/>
                                
              <Connector port="8444" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"
                         truststorePass="serena"
                         truststoreAlgorithm="AnyCert"
                         clientAuth="true" sslProtocol="TLS"/>
       
      After:

              <Connector port="8443" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"                  
                         truststorePass="serena"
                         clientAuth="false" sslProtocol="TLS"
                         sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"/>
                                
              <Connector port="8444" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"
                         truststorePass="serena"
                         truststoreAlgorithm="AnyCert"
                         clientAuth="true" sslProtocol="TLS"
                         sslEnabledProtocols="TLSv1.2,TLSv1.1"/>
       
    3. Restart the Serena VM Web Application Server service or application.
       
  • VM 8.4.4 - 8.4.6 (Tomcat 7 + Java 6):
     
    1. Edit file the Tomcat server.xml located at VM_Install_Dir\vm\common\tomcat\conf\server.xml
       
    2. For each defined <Connector> element for HTTPS with clientAuth="false", add the following attribute:
       
      sslEnabledProtocols="TLSv1,SSLv2Hello"

      (SSLv2Hello is a pseudo-protocol needed in combination with TLSv1 by VM File Server clients wanting to connect to File Server client via HTTPS.)

      The protocols TLSv1.1 and TLSv1.2 are not listed here because they are not supported by Java 6, making BEAST mitigation impossible on these old VM releases.

      For the <Connector> element for HTTPS with clientAuth="true", add the following attribute:
       
      sslEnabledProtocols="TLSv1"

      Before:

              <Connector port="8443" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"                  
                         truststorePass="serena"
                         clientAuth="false" sslProtocol="TLS"/>
                                
              <Connector port="8444" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"
                         truststorePass="serena"
                         truststoreAlgorithm="AnyCert"
                         clientAuth="true" sslProtocol="TLS"/>
       
      After:

              <Connector port="8443" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"                  
                         truststorePass="serena"
                         clientAuth="false" sslProtocol="TLS"
                         sslEnabledProtocols="TLSv1,SSLv2Hello"/>
                                
              <Connector port="8444" minSpareThreads="5"
                         enableLookups="true" disableUploadTimeout="true"
                         acceptCount="100"  maxThreads="200"
                         scheme="https" secure="true" SSLEnabled="true"
                         keystoreFile="$/conf/serena.keystore"
                         keystorePass="serena"
                         truststoreFile="$/conf/serena.keystore"
                         truststorePass="serena"
                         truststoreAlgorithm="AnyCert"
                         clientAuth="true" sslProtocol="TLS"
                         sslEnabledProtocols="TLSv1"/>
       
    3. Restart the Serena VM Web Application Server service or application.
       
  • VM 8.4.0 - 8.4.3 (Tomcat 6 + Java 6):
     
    1. Edit file the Tomcat server.xml located at VM_Install_Dir\vm\common\tomcat\conf\server.xml
       
    2. For each defined <Connector> element for HTTPS with clientAuth="false", add the following attribute:
       
      sslProtocols = "TLSv1,SSLv2Hello"

      (SSLv2Hello is a pseudo-protocol needed in combination with TLSv1 by VM File Server clients wanting to connect to File Server client via HTTPS.)

      The protocols TLSv1.1 and TLSv1.2 are not listed here because they are not supported by Java 6, making BEAST mitigation impossible on these old VM releases.

      For the <Connector> element for HTTPS with clientAuth="true", add the following attribute:
       
      sslProtocols = "TLSv1"

      Before:
       
          <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
                     enableLookups="true" disableUploadTimeout="true"
                     acceptCount="100"  maxThreads="200"
                     scheme="https" secure="true" SSLEnabled="true"
                     keystoreFile="$/conf/serena.keystore"
                     keystorePass="serena" truststoreFile="$/conf/serena.keystore"              
                     truststorePass="serena"
                     clientAuth="false" sslProtocol="TLS"/>
                    
          <Connector port="8444" minSpareThreads="5" maxSpareThreads="75"
                     enableLookups="true" disableUploadTimeout="true"
                     acceptCount="100"  maxThreads="200"
                     scheme="https" secure="true" SSLEnabled="true"
                     keystoreFile="$/conf/serena.keystore" keystorePass="serena"
                     truststoreFile="$/conf/serena.keystore" truststorePass="serena"
                     truststoreAlgorithm="AnyCert"
                     clientAuth="true" sslProtocol="TLS"/>
      After:

          <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
                     enableLookups="true" disableUploadTimeout="true"
                     acceptCount="100"  maxThreads="200"
                     scheme="https" secure="true" SSLEnabled="true"
                     keystoreFile="$/conf/serena.keystore"
                     keystorePass="serena" truststoreFile="$/conf/serena.keystore"              
                     truststorePass="serena"
                     clientAuth="false" sslProtocol = "TLS"
                     sslProtocols = "TLSv1,SSLv2Hello"/>
                    
          <Connector port="8444" minSpareThreads="5" maxSpareThreads="75"
                     enableLookups="true" disableUploadTimeout="true"
                     acceptCount="100"  maxThreads="200"
                     scheme="https" secure="true" SSLEnabled="true"
                     keystoreFile="$/conf/serena.keystore" keystorePass="serena"
                     truststoreFile="$/conf/serena.keystore" truststorePass="serena"
                     truststoreAlgorithm="AnyCert"
                     clientAuth="true" sslProtocol="TLS"
                     sslProtocols = "TLSv1"/>
       
    3. Restart the Serena VM Web Application Server service or application.
 
IIS Configuration Steps

If the Serena VM Web Application Server has been configured for access via IIS (Internet Information Server) and that server is accessed using HTTPS, IIS itself also needs to be secured.
 
The following steps are taken from the these articles:
 
 
  1. Click Start, click Run, type regedit, and then click OK
     
  2. In Registry Editor, locate the following registry key HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
     
  3. Right click on Protocols -> new -> key -> SSL 3.0
     
  4. Under the key above you need to create additional keys Client and Server
     
  5. Create DWORD (32bit) value called Enabled under each Client and Server key

    DWORD (32bit) Value  
    Value name: Enabled  
    Value data: 0

    Value data can be set to "1" - Enabled or "0" – Disabled
     
  6. Right click on Protocols -> new -> key -> TLS 1.0
     
  7. Under the key above you need to create additional keys Client and Server
     
  8. Create DWORD (32bit) value called Enabled under each Client and Server key

    DWORD (32bit) Value  
    Value name: Enabled  
    Value data: 0

    Value data can be set to "1" - Enabled or "0" – Disabled
     
  9. Restart your computer to implement the change

 

Potential Side Effects

While the risk of breakage is quite small, customers still need to be aware of the potential for problems to arise. Specifically when very old web browser clients are used that don’t support TLS these clients will no longer be able to connect to the Serena VM Web Application Server.
 
If the protocol combination "TLSv1,SSLv2Hello" is removed from the HTTPS connector to mitigate BEAST and this connector is used by File Server clients prior to VM 8.6, these clients will no longer be able to connect to the server, displaying errors similar to:
 
Error communicating with file server "https://ServerName:8443/serenafs/FileServer;": An SSL error occured. SOAP FAULT: SOAP-ENV:Client "SSL_ERROR_SSL
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" Detail: SSL connect failed in tcp_connect().

 
or

Error communicating with file server "https://
ServerName:8443/serenafs/FileServer;": An SSL error occured. SOAP FAULT: SOAP-ENV:Client "SSL_ERROR_SSL
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol" Detail: SSL connect failed in tcp_connect().
 
File Server clients running VM 8.6 or newer do not need TLSv1,SSLv2Hello. To mitigate BEAST, ensure all VM clients are running VM 8.6 or newer.

 


Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs