SCM-Manager and the POODLE vulnerability

Posted on 2014-10-18 by Sebastian Sdorra

If you are using scm-server with a configured https connector, please be sure that you exclude the SSLv3 protocol to avoid the POODLE vulnerability.

Add the following xml elements to your https connector in your server-config.xml:

<Arg>
  <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="excludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv2Hello</Item>
        <Item>SSLv3</Item>
      </Array>
    </Set>
  </New>
</Arg>

The complete connector section should now be look like the following:

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Arg>
          <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
            <Set name="excludeProtocols">
              <Array type="java.lang.String">
                <Item>SSLv2Hello</Item>
                <Item>SSLv3</Item>
              </Array>
            </Set>
          </New>
        </Arg>
        <Set name="Port">8181</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="requestHeaderSize">16384</Set>
        <Set name="keystore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
        <Set name="password">yourpassword</Set>
        <Set name="keyPassword">yourpassword</Set>
        <Set name="truststore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
        <Set name="trustPassword">yourpassword</Set>
      </New>
    </Arg>
  </Call>

More informations on how to configure https with SCM-Manager can you find here:

Posted in scm-manager, security