Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1945734.1
Update Date:2017-09-21
Keywords:
Solution Type  Technical Instruction Sure

Solution  1945734.1 :   Procedure of HowTo to disable SSLv3 on Oracle Communications EAGLE EPAP 15.0.x  

Related Items 
    

  • Oracle Communications EAGLE (Software)
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>CommsGBU>Global Signaling Solutions>SN-SND: Tekelec OS EPAP ECAP
    •  




This document provides details on the configuration changes necessary to mitigate the security vulnerability referenced by CVE-2014-3566.
Oracle Communications EAGLE Application Processor Version 15.0.1; 15.0.2; 15.0.3

In this Document
Goal
Solution

Applies to:

Oracle Communications EAGLE (Software) - Version EPAP 15.0 to EPAP 15.0 [Release EPAP 15.0]
Tekelec
Applies to:
Oracle Communications EAGLE Application Processor Version 15.0.1
Oracle Communications EAGLE Application Processor Version 15.0.2
Oracle Communications EAGLE Application Processor Version 15.0.3

Goal

This document provides details on the configuration changes necessary to mitigate the security vulnerability referenced by CVE-2014-3566.

Solution

The following steps will configure an EPAP server to not accept the SSLv3 protocol and instead use TLS. Read and understand the following notes prior to beginning the procedure.

Notes:

  • These procedures are applicable only when HTTPS is enabled on the server.

 

  • 443 is the default SSL port. If you have modified it to something else, please use the configured port in the commands in these procedures.

 

  • In case of ELAP the IP address used in these procedures should be the Virtual IP (VIP).

 

  • The version of the openssl package currently used in EPAP is 0.9.8e-27.el5_10.3. This version only supports TLS v1.0.

 

The following table lists the server types and which procedure(s) are applicable:

 

Server TypeSSL ServerProcedure

EPAP Server A

Apache (httpd)

Procedure 1

EPAP Server B

Apache (httpd)

Procedure 1
     

 

Procedure 1:

 

 

 

Step #

Steps

1.

Check the current SSL configuration

1. Log in as root on the server console :

login: root

Password: <current root password>

2. Check if the server supports SSLv3:

# openssl s_client -connect <IP Address>:443 -ssl3

If the connection succeeds, SSLv3 is enabled.

If the SSLv3 is enabled continue, else skip to step 3: Verifying TLS.

If the connection succeeds, the output in the command window will be something like:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : SSLv3

Cipher : DHE-RSA-AES256-SHA

Session-ID: 11F0EC8DF848007A8B8F51351734EF4DFEE6934F685FF10206A3CA9737FBE8F4

If the connection fails, you should see in the command window something like:

 

26914:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40

26914:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
 

2.

  

Modifying the configuration

1Open /etc/httpd/conf.d/ssl.conf and append “-SSLv3” to the SSLProtocol list. Update ALL the instances of SSLProtocol.

a. Include the following line in the configuration among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3

2. Verify if the new configuration is correct:

# apachectl configtest

httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.61.45 for ServerName

Syntax OK

 

3. Restart apache (httpd) server:

# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using <IP Address> for ServerName

[ OK ]

 

Check if the server supports SSLv3:

# openssl s_client -connect <IP Address>:443 -ssl3

The connection should fail.

3.

Verify that browser supports TLS

1. Access the application EPAP GUI using HTTPS and make sure that it is working fine.

2. Ensure browser is only using TLS by modifying the settings

 

a. In Internet Explorer, you can disable SSL/TLS protocols from Internet Options > Advanced.

IE_OPTIONS

b.Firefox browser provides this via the advanced settings in about:config.

 security.tls.version can be of the following values

0 - SSLv3 (set max and min value to this for SSLv3 only support)

1 - TLSv1.0

2 - TLSv1.1

3 - TLSv1.2

 FIREFOX_CONFIG_FIG2 

 3. What you will see on the browser when the website/server only supports TLS -does not support SSLv3

 Secure_Connection_Failed

 

 

References


References: None

 

 

 

 

 

 

 



Attachments 
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback