Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kibana CAS after SSLv3 POODLE #46

Open
td-edge opened this issue Dec 3, 2014 · 1 comment
Open

Kibana CAS after SSLv3 POODLE #46

td-edge opened this issue Dec 3, 2014 · 1 comment

Comments

@td-edge
Copy link

td-edge commented Dec 3, 2014

I set up Kibana several months ago using SSLv3. With the recent POODLE attack, my systems have shut off SSLv3, and everything is using TLS. To have Kibana auto-negotiate to TLS, I added the following options to the validatePathName object in jcas.js:

secureProtocol: 'SSLv23_method',
secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv3 ,

This doesn't seem to help though, and I continue to get a timeout and 500 error returned only after reaching the ticket validation step through CAS over https. I also tried adding global https variables to app.js (#33) for TLS, and added specific cipher orders in jcas.js. I upgraded node.js to the current stable version as well.

Am I missing a setting or hack that would allow me to return validation from an independent CAS sever over TLS? Is there a standard setting for dealing with SSLv3 post POODLE?
@td-edge
Copy link
Author

td-edge commented Jun 30, 2015

jcas.js

  • require 'tls'
  • No SSLv3 | SSLv2
  • option method SSLv23
<Set name = "Exclude Protocols">
   <Array type = "java.lang.string">
      <Item> SSLv3 </Item>
   </Array>
</Set>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@td-edge