Skip to main content

How can I disable sslv3 on virtual appliance?

Thread needs solution
Regular Poster
Posts: 71
Comments: 162

In a vulnerability scan of our network I found a few items to address on version 9.2.10535 of the Acronis Backup for VMware virtual appliance.

 

I got out to the shell and edited /etc/lighttpd/lighttpd.conf and added these two lines under the existing ssl.engine and ssl.pemfile parameters:

ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

I was sure to write out the file and then rebooted the virtual appliance.  A quick test with OpenSSL still makes a connection

OpenSSL> s_client -connect 10.30.1.19:443 -ssl3

Loading 'screen' into random state - done
CONNECTED(00000194)
depth=0 /CN=10.30.1.19
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=10.30.1.19
verify return:1
---
Certificate chain
 0 s:/CN=10.30.1.19
   i:/CN=10.30.1.19
---
Server certificate
-----BEGIN CERTIFICATE-----

......

 

Our vulnerability scan also found a lighttpd connect.c denial of service vulnerability and suggests updating lighttpd at http://www.lighttpd.net/.

Without any package manager like yum or apt-get or compilation tools, how would one get a compiled updated lighttpd or even just disable sslv3?

 

0 Users found this helpful
Acronis Program Manager
Posts: 22
Comments: 3744

Hi Keith,

sslv3 should be disabled by adding ssl.use-sslv3 = "disable" parameter to lighttpd.conf, though looks like it doesn't work for some reasons (probably an issue in particular Lighttpd version). It is not possible to simply update Lighttpd running in appliance since there is no yum or apt-get functionality available in Acronis Linux. We are planning to address this problem in the next version of Acronis Backup where we won't use Lighttpd (next version is planned to be released in the next year). For now I'm afraid there is no workaround.

Thank you.

--

Best regards,

Vasily

Acronis Virtualization Program Manager