Forum

Hello.

Due to new found vulnerability in SSL3, I turned off SSL3 protocol on server with web-server. But it caused invalid local certificate error on client.

Hello,

Could you provide us with details, like your script, error messages, and so on?

This script is causing "invalid local certificate" message.

When SSL3 is turned on it works fine.

Hello, Mikhail!

Which web server and OS do you use and which settings did you change to disable SSL3 protocol?

Web server is Apache on CentOS 6.

I used these configuration settings:

Which version of 1C:Enterprise platform do you use?

8.3.5.1119

Thank you for the information, we are investigating this issue.
At the same time, please try to update 1C:Enterprise platform to version 8.3.5.1248.

I'm sorry, Mikhail, developers are asking for the test example: two database dumps, one that should be on the server and one that connects to the first one?

Hello, Mikhail,

If this incident is still actual for you, please provide the following information:
1. Full versions of CentOS and Apache that you use, are they 32 or 64 bit?
2. Is the web service that you use provided by a third party application or is created and published using 1C:Enterprise platform?

I will reply for Michael

1. CentoOS 6.5, Apache 2.2, 64bit
Server version: Apache/2.2.15 (Unix)
Server built:   Jul 23 2014 14:17:29

2. Published via 1C:Enterprise.1c Server is also x64

Hello, Alexey!

We are still trying to reproduce the error.

Please execute following commands in the terminal:

Which of those lines produce an error?

Is the code that you provided in message #3 executed on client or on server?

Please provide the certificate properties. Steps to acquire them for FireFox browser are provided in the attached screenshot. We need values for both states: with SSLv3 enabled and disabled.
And is this certificate signed by an authority or it is self-signed?

We also need to get the technological log, collected when the error is reproduced.

How to create the technological log on Linux:
You must configure the technological log on both: 1C:Enterprise server and client that performs a call.

In 1C:Enterprise directory (default /opt/1C/v8.3/x86_64/ for x64 OS version or /opt/1C/v8.3/i386/ for x86) create conf folder (if not present) and logcfg.xml file. This file should contain following or similar text:

Note that there should be enough free space in the technological log folder. There also should be no other files except for technological log files. If there are other files, the technological log will not be created. After logcfg.xml is placed in this folder, wait for 1 minute, because 1C:Enterprise checks this folder every minute to find this file.

The user that runs 1C:Enterprise (for server it's normally usr1cv83) should be allowed to write in the technological log folder (/1clogs/folder/path in the logcfg.xml above example).

To receive correct logs, delete all existing files in the technological log folders, run 1C:Enterprise and reproduce the error, close 1C:Enterprise. Compress and send logs to int@1c.com together with the link to the topic where you asked for the support. If the log file will be too large, please inform us and we will provide an FTP access to upload it.

Please DO NOT PUBLISH the technological log or any other CONFIDENTIAL INFORMATION on any public resource, including Google disk, dropbox, etc.

Due to collecting logs takes system resources, after you finished, rename the logcfg.xml file to turn off the technological log.

More details on the technological log configuration you can find in the Administrator Guide. See Chapter 6.13.