scottie1001

SSL v3 POODLE vulnerablity

Discussion created by scottie1001 on Nov 21, 2014

From the ESRI blog:

MAJOR UPDATE 10/24/14 – On October 14, 2014, a security vulnerability involving SSL v3 was revealed called POODLE (CVE-2014-3566).  SSL v3 is estimated to be utilized by less than 2% of Internet users at this time, many of those users have browsers as old as IE6 (which is not supported across most products, and does not support the TLS protocol).

ArcGIS Online: Esri has disabled SSL v3 for all ArcGIS Online web service endpoints and is not vulnerable to POODLE attacks.

ArcGIS Server & Portal for ArcGIS: Current versions of these products handle HTTPS requests that allow fallback to SSL v3; howeverEsri recommends that production implementations include the ArcGIS web adaptor in front of them to terminate encrypted connections with clients based on the web server it is deployed to.  Each web server vendor has specific guidance for how to disable SSL v3 with their products.  For your convenience we have provided links to some of the common web servers utilized in the references section below.

Browsers: The POODLE vulnerability requires that both servers and browsers have SSL v3 enabled.  As a security precaution beyond our products, we recommend customers disable SSLv3 within their browser settings where it is possible for them to do so.

Future Builds: Esri has already disabled SSL v3 for the upcoming ArcGIS 10.3 release.  All browser versions supported with the ArcGIS Platform support TLS, and will work without issue.  All versions of Python included with the ArcGIS Platform since 10.0 support TLS, therefore most custom scripts should continue to work.

- The Security Standards & Architecture Team

The part I put in red text is an issue.  We've installed the prerelease as an upgrade to one of our 10.2.2 servers and SSL v3 still works just fine.

 

I was able to disable it, however, ESRI does not condone nor support modifying the built in Tomcat server.  For those of you wishing to chance it like me, here are the instructions.

 

  1. Open <install directory>\ArcGIS\Server\framework\runtime\tomcat\conf\server.xml in a text editor
  2. Find the line that begins with "<Connector SSLEnabled="true"
  3. In that line, replace sslProtocols="TLS" with sslEnabledProtocols="TLSv1, TLSv1.1, TSLv1.2"
  4. Restart ArcGIS Server

Outcomes