Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Mitigating the SSL v3.0 POODLE Vulnerability

Disclaimer: This article is no longer being updated. The default server.xml only supports Transport Layer Security (TLS). Support for Secure Sockets Layer (SSL) v3.0 has been disabled by default since Jamf Pro 9.61.

Overview

On October 14, 2014, a significant vulnerability in the design of Secure Sockets Layer (SSL) v3.0 was announced. This attack is commonly known as POODLE (Padding Oracle On Downgraded Legacy Encryption).

By default, the JSS specifies the use of Transport Layer Security (TLS) communication protocol but it does not explicitly disable any other protocols, including SSL v3.0.  This article describes how to disable SSL v3.0 and only use TLS for connections to the JSS.

The jamfds binary v9.6 or earlier uses SSL v3.0 for connections from the JAMF Distribution Server (JDS) to the JSS and other JDS instances.  Version v9.61 of the jamfds binary uses TLS instead of SSL v3.0.

Products Affected

  • Casper Suite v9.6 and earlier
  • JDS v9.6 and earlier

Procedure

Warning: If you are using a JDS instance in your environment, you must install v9.61 of the jamfds binary before modifying the server.xml file.
To update the jamfds binary:
If you are using a JDS instance in your environment, you must download and install v9.61 of the jamfds binary before modifying the HTTPS connector for port 8443 in the server.xml file.

To modify the HTTPS connector for port 8443 in the server.xml file:

  1. Open the server.xml file in a text editor. The server.xml file is located in /path/to/JSS/Tomcat/conf/.
  2. Add the following attribute to the Connector element for port="8443" after the sslProtocol="TLS" attribute: sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
  3. Save and close the server.xml file.
  4. Restart Tomcat. For instructions, see Starting and Stopping Tomcat.

Additional Information

For more information about POODLE, see the Security Update.

Like Comment
Order by:
SOLVED Posted: by Rosko

Today we upgraded to v9.6 and applied the above "patch", however after modifying the server.xml file we started seeing the following errors when trying to upload files via Casper Admin to our JDS's...

2014-10-17 11:03:31,012 INFO Adding package "Casper Remote v9.6.dmg" for download
2014-10-17 11:03:31,013 INFO Adding package "Casper Suite v9.6.dmg" for download
2014-10-17 11:03:31,028 INFO Downloading package "Casper Remote v9.6.dmg"
2014-10-17 11:03:31,086 ERROR Failed to download package "Casper Remote v9.6.dmg"
2014-10-17 11:03:31,086 ERROR [Errno 1] _ssl.c:499: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Traceback (most recent call last):
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/jds", line 882, in download_for_yosemite
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.api", line 55, in get
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.api", line 44, in request
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.sessions", line 448, in request
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.sessions", line 554, in send
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.adapters", line 417, in send
SSLError: [Errno 1] _ssl.c:499: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
2014-10-17 11:03:31,101 INFO Downloading package "Casper Suite v9.6.dmg"
2014-10-17 11:03:31,105 ERROR Failed to download package "Casper Suite v9.6.dmg"
2014-10-17 11:03:31,105 ERROR [Errno 1] _ssl.c:499: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Traceback (most recent call last):
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/jds", line 882, in download_for_yosemite
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.api", line 55, in get
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.api", line 44, in request
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.sessions", line 448, in request
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.sessions", line 554, in send
  File "/Users/Share/Jenkins/workspace/jamfds-build-release/label/jenkinsmac07.jamfsw.corp/build/jamfds/out00-PYZ.pyz/requests.adapters", line 417, in send
SSLError: [Errno 1] _ssl.c:499: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Once we removed the changes everything was fine again. We did upgrade the jamfds binary as well as stated above.

Any ideas as to what caused this and/or how to remedy the issue?

Like
JAMFBadge
SOLVED Posted: by jason.vanzanten

@Roskos][/url:

Thanks for brining this to our attention. Unfortunately, it looks like the original fix for the jamfds binary (v9.6.29518.c) was incomplete for OS X servers and certain installations of Linux, especially if the latest security updates for OpenSSL were not installed.

The instructions in this article have been updated to reference a new version of the jamfds binary (v9.6.29567.c) along with corresponding links to the updated JDS Installers for Mac and Linux.

If you already installed jamfds binary v9.6.29518.c there should be no need to update to v9.6.29567.c unless it is running on OS X or you notice SSLv3 handshake errors on Linux. Use the following command to check the version of the jamfds binary on your system:

$ jamfds --version
jamfds 9.6.29567.c

And check the jamf.log for any connection errors and/or SSL version 3.0 handshake errors:

OS X: /Library/JDS/logs/jamf.log
Linux: /usr/local/jds/logs/jamf.log
Like
SOLVED Posted: by MARL

We have noticed that on OS X 10.10.0 clients the JSS web interface has become very slow to even display the login in Safari. Firefox on the other hand works fine. We have verified the servers and client connections are not impacted, just the web interface. Is this because OS X 10.10.0 disabled SSLv3 in Safari and it's trying to use that when using the JSS interface?

Like
SOLVED Posted: by blinvisible

The JSS 9.61 update also takes care of this, correct?

Like
SOLVED Posted: by Rosko

@jason.vanzanten][/url
Thank you. We've updated the JDS binary to 9.6.29567.c and this has resolved the issues we were seeing.

@blimvisible
Yes, according to the Release Notes for v9.61 it remediates the POODLE vulnerability. That is all the update seems to do from what I saw in the release notes, which is why we just patched the JDS.

Like
SOLVED Posted: by fabian.fasshuber

Many thanks for this instructions.

Like