dhis2-devs team mailing list archive

Thread
Date

ssl vulnerability

To: DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>, DHIS 2 Users list <dhis2-users@xxxxxxxxxxxxxxxxxxx>
From: Lars Helge Øverland <larshelge@xxxxxxxxx>
Date: Wed, 15 Oct 2014 19:03:24 +0200

Hi server admins,

Google today published a vulnerability in SSL which could allow an attacker
to decrypt "secure" connections:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

For a dhis system the most practical solution is to simply disable SSL and
rely on TLS, as it's mostly Internet Explorer 6 that does not support TLS,
and DHIS 2 does not support IE 6 anyway.

I have upgraded the nginx installation docs here
<https://www.dhis2.org/doc/snapshot/en/implementer/html/ch08s03.html#d5e590>.
To disable SSL and add support for all TLS version you can change this line:

ssl_protocols              SSLv3 TLSv1.1 TLSv1.2;


to this:

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;


regards,

Lars

Follow ups

Re: ssl vulnerability
From: Dan, 2014-10-15