dhis2-devs team mailing list archive

Thread
Date

Re: ssl vulnerability

To: Lars Helge Øverland <larshelge@xxxxxxxxx>
From: Dan <dan@xxxxxxxxxxxx>
Date: Wed, 15 Oct 2014 13:11:41 -0400
Cc: DHIS 2 Users list <dhis2-users@xxxxxxxxxxxxxxxxxxx>, DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAD_DPKxVFLcQ08w3PTbLxBoT2a8cG7sAOLjh-Lg2BKs5nwxnkg@mail.gmail.com>
Sender: dan <dcocos@xxxxxxxxx>

If you’re running apache
The fix is to update the following line in your  SSL config usually in /etc/httpd/conf.d/ssl.conf

SSLProtocol all -SSLv2 -SSLv3



Dan Cocos
BAO Systems
www.baosystems.com
T: +1 202-352-2671 | skype: dancocos

On Oct 15, 2014, at 1:03 PM, Lars Helge Øverland <larshelge@xxxxxxxxx> wrote:

> Hi server admins,
> 
> Google today published a vulnerability in SSL which could allow an attacker to decrypt "secure" connections:
> 
> http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html
> 
> For a dhis system the most practical solution is to simply disable SSL and rely on TLS, as it's mostly Internet Explorer 6 that does not support TLS, and DHIS 2 does not support IE 6 anyway.
> 
> I have upgraded the nginx installation docs here. To disable SSL and add support for all TLS version you can change this line:
> ssl_protocols              SSLv3 TLSv1.1 TLSv1.2;
> 
> to this:
> ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
> 
> regards,
> 
> Lars
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp

Follow ups

Re: ssl vulnerability
From: J. Paul Mutali, 2014-10-16

References

ssl vulnerability
From: Lars Helge Øverland, 2014-10-15