KB Article #176529
API Gateway and Poodle SSL Issue (CVE-2014-3566)
Problem
The Poodle SSL security vulnerability (CVE-2014-3566) has been discussed at length among security experts and the recommended action is to completely disable SSLv3 for product communication in favour of TLS protocols.Further reading:-
POODLE: SSLv3 vulnerability (CVE-2014-3566)
SSL 3.0 Protocol Vulnerability and POODLE Attack
This POODLE Bites: Exploiting The SSL 3.0 Fallback
Resolution
API Gateway 7.3.1 is built with OpenSSL 1.0.1h. This can be checked by running the following command from the apigateway/posix/bin directory$ ./vrun openssl versionOpenSSL 1.0.1h 5 Jun 2014Incoming HTTPS listener interfaces can have SSLv3 switched off via a tick box in the advanced tab from within Policy Studio.
The HTTPS interface and Connection filters both have a ciphers field in their advanced tab that can be used to further restrict the set of SSL/TLS ciphers that can be used. This field takes the form of an Openssl ciphers string.
https://www.openssl.org/docs/apps/ciphers.html
The full list of ciphers available on any API Gateway installation can be found.
.
/vrun openssl ciphers -v 'ALL'The default ciphers available :-
./vrun openssl ciphers -v 'DEFAULT'A list of ciphers without SSLv3/SSLv2
./vrun openssl ciphers -v 'ALL:!SSLv3:!SSLv2'The cipher string can be inserted in the cipher field of the HTTPS interface above or the connection filter below to disable SSLv3 being presented during SSL handshakes.
Note that in OpenSSL TLSv1 and SSLv3 use the same cipher short names and the protocols cannot be separated with a cipher string. HTTPS interfaces should use the ssl/tls tick boxes instead to disable SSLv3.
Make sure that clients can support TLSv1, TLSv1.1 or TLSv1.2 when SSLv3 has been disabled