td-edge
commented
9 years ago jcas.js
- require 'tls'
- No SSLv3 | SSLv2
- option method SSLv23
<Set name = "Exclude Protocols">
<Array type = "java.lang.string">
<Item> SSLv3 </Item>
</Array>
</Set>
I set up Kibana several months ago using SSLv3. With the recent POODLE attack, my systems have shut off SSLv3, and everything is using TLS. To have Kibana auto-negotiate to TLS, I added the following options to the validatePathName object in jcas.js:
secureProtocol: 'SSLv23_method', secureOptions: constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv3 ,
This doesn't seem to help though, and I continue to get a timeout and 500 error returned only after reaching the ticket validation step through CAS over https. I also tried adding global https variables to app.js (https://github.com/fangli/kibana-authentication-proxy/issues/33) for TLS, and added specific cipher orders in jcas.js. I upgraded node.js to the current stable version as well.
Am I missing a setting or hack that would allow me to return validation from an independent CAS sever over TLS? Is there a standard setting for dealing with SSLv3 post POODLE?