← Back to team overview

dhis2-users team mailing list archive

Re: [Dhis2-devs] ssl vulnerability

 

You can check if you re safe using this free tool :
https://www.tinfoilsecurity.com/poodle

regards,
---------
J. Paul Mutali
skype: mutali.rw



On Wed, Oct 15, 2014 at 7:11 PM, Dan <dan@xxxxxxxxxxxx> wrote:

> If you’re running apache
> The fix is to update the following line in your  SSL config usually in
> /etc/httpd/conf.d/ssl.conf
>
> SSLProtocol all -SSLv2 -SSLv3
>
>
>
> *Dan Cocos*
> BAO Systems
> www.baosystems.com
> T: +1 202-352-2671 | skype: dancocos
>
> On Oct 15, 2014, at 1:03 PM, Lars Helge Øverland <larshelge@xxxxxxxxx>
> wrote:
>
> Hi server admins,
>
> Google today published a vulnerability in SSL which could allow an
> attacker to decrypt "secure" connections:
>
>
> http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html
>
> For a dhis system the most practical solution is to simply disable SSL and
> rely on TLS, as it's mostly Internet Explorer 6 that does not support TLS,
> and DHIS 2 does not support IE 6 anyway.
>
> I have upgraded the nginx installation docs here
> <https://www.dhis2.org/doc/snapshot/en/implementer/html/ch08s03.html#d5e590>.
> To disable SSL and add support for all TLS version you can change this line:
>
> ssl_protocols              SSLv3 TLSv1.1 TLSv1.2;
>
>
> to this:
>
> ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
>
>
> regards,
>
> Lars
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

References