← Back to team overview

dhis2-devs team mailing list archive

ssl vulnerability

 

Hi server admins,

Google today published a vulnerability in SSL which could allow an attacker
to decrypt "secure" connections:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

For a dhis system the most practical solution is to simply disable SSL and
rely on TLS, as it's mostly Internet Explorer 6 that does not support TLS,
and DHIS 2 does not support IE 6 anyway.

I have upgraded the nginx installation docs here
<https://www.dhis2.org/doc/snapshot/en/implementer/html/ch08s03.html#d5e590>.
To disable SSL and add support for all TLS version you can change this line:

ssl_protocols              SSLv3 TLSv1.1 TLSv1.2;


to this:

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;


regards,

Lars

Follow ups