Wednesday, November 5, 2014

Disabling SSLv3 for OSG VOMS Admin Server

The OSG Security team has concluded that the POODLE SSLv3 vulnerability
is not a *critical* concern to OSG software installations. Most services
are not affected, and those that are affected are difficult to exploit in
a meaningful way. Nonetheless, the recommendation is to disable support
for SSLv3 where reasonable.

OSG software includes VOMS Admin Server (currently, version 2.7.0), which
runs within Tomcat. By default Tomcat allows SSLv3 connections, but that
is easy to change. To disable SSLv3 support from a Tomcat instance that
contains VOMS Admin Server, add a "protocols" configuration attribute to
/etc/tomcat[56]/server.xml as follows (in diff format, sort of):

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1"
+ protocols="TLSv1.1,TLSv1.2"
crlEnabled="true" crlRequired="true"/>

Note: OSG Software has tested this change only for a Tomcat instance that
is running VOMS Admin Server. But the change affects Tomcat itself and
thus affects all web applications running within that instance. So for
now, we recommend making this change to Tomcat instances that run only
VOMS Admin Server. There are known issues with applying this change to a
Tomcat instance that runs GUMS, in that dCache clients (at least) fail to
work with the changed GUMS server.