SSL v3

This forum is intended for cases when a problem can not be solved due to restrictions of the platform: a bug or lack of functionality.

#1
People who like this:0Yes/0No
Active user
Rating: 6
Joined: Mar 20, 2012
Company: Abaco Soluciones S.A.

Hello.

Due to new found vulnerability in SSL3, I turned off SSL3 protocol on server with web-server. But it caused invalid local certificate error on client.

 
#2
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 8
Joined: Jun 25, 2013
Company: 1C Company

Hello,

Could you provide us with details, like your script, error messages, and so on?

1C Company support team
 
#3
People who like this:0Yes/0No
Active user
Rating: 6
Joined: Mar 20, 2012
Company: Abaco Soluciones S.A.

This script is causing "invalid local certificate" message.

Code
   Crt = Constants.WebServiceHTTPS.Get();
   If IsBlankString(Crt) Then
      HTTPSData = Undefined;
   Else
      Doc = new TextDocument;
      Doc.SetText(Crt);
      Tmp = GetTempFileName("crt");
      Doc.Write(Tmp);
      HTTPSData = New OpenSSLSecureConnection(New FileClientCertificate(Tmp));
   EndIf;
   WSDef = New WSDefinitions(Constants.WebServiceConnectionPoint.Get(),Constants.WebServiceUser.Get(), Constants.WebServicePassword.Get(),,HTTPSData);
   WS = New WSProxy(WSDef,"Puntodeventa","PuntoDeVenta","PuntoDeVentaSoap",,HTTPSData);
   WS.User = Constants.WebServiceUser.Get();
   WS.Password = Constants.WebServicePassword.Get();
        
   WS.SomeMethod();


When SSL3 is turned on it works fine.

 
#4
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

Hello, Mikhail!

Which web server and OS do you use and which settings did you change to disable SSL3 protocol?

 
#5
People who like this:0Yes/0No
Active user
Rating: 6
Joined: Mar 20, 2012
Company: Abaco Soluciones S.A.

Web server is Apache on CentOS 6.

I used these configuration settings:

Code
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

 
#6
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

Which version of 1C:Enterprise platform do you use?

 
#7
People who like this:0Yes/0No
Active user
Rating: 6
Joined: Mar 20, 2012
Company: Abaco Soluciones S.A.

8.3.5.1119

 
#8
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

Thank you for the information, we are investigating this issue.
At the same time, please try to update 1C:Enterprise platform to version 8.3.5.1248.

 
#9
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

I'm sorry, Mikhail, developers are asking for the test example: two database dumps, one that should be on the server and one that connects to the first one?

 
#10
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

Hello, Mikhail,

If this incident is still actual for you, please provide the following information:
1. Full versions of CentOS and Apache that you use, are they 32 or 64 bit?
2. Is the web service that you use provided by a third party application or is created and published using 1C:Enterprise platform?

 
#11
People who like this:0Yes/0No
Interested
Rating: 32
Joined: Oct 27, 2011
Company: Abaco Soluciones S.A.

I will reply for Michael

1. CentoOS 6.5, Apache 2.2, 64bit
Server version: Apache/2.2.15 (Unix)
Server built:   Jul 23 2014 14:17:29

2. Published via 1C:Enterprise.1c Server is also x64

 
#12
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

Hello, Alexey!

We are still trying to reproduce the error.

Please execute following commands in the terminal:

Code
lsb_release –a
uname –a
locale
rpm -qa "1C*"
yum list | grep httpd
yum list | grep mod_ssl

Which of those lines produce an error?

Is the code that you provided in message #3 executed on client or on server?

Please provide the certificate properties. Steps to acquire them for FireFox browser are provided in the attached screenshot. We need values for both states: with SSLv3 enabled and disabled.
And is this certificate signed by an authority or it is self-signed?

We also need to get the technological log, collected when the error is reproduced.

How to create the technological log on Linux:
You must configure the technological log on both: 1C:Enterprise server and client that performs a call.

In 1C:Enterprise directory (default /opt/1C/v8.3/x86_64/ for x64 OS version or /opt/1C/v8.3/i386/ for x86) create conf folder (if not present) and logcfg.xml file. This file should contain following or similar text:
Code
<config xmlns="http://v8.1c.ru/v8/tech-log">
  <log history="72" location="/1clogs/folder/path">
    <event>
      <eq property="name" value="ADMIN"/>
    </event>
    <event>     
      <eq property="name" value="EXCP"/>
    </event>
    <event>
      <eq property="name" value="CONN"/>
    </event>      
    <event>
      <eq property="name" value="SCOM"/>
    </event>      
    <event>
      <eq property="name" value="PROC"/>
    </event>      
    <property name="all">
    </property>
  </log>
</config>

Note that there should be enough free space in the technological log folder. There also should be no other files except for technological log files. If there are other files, the technological log will not be created. After logcfg.xml is placed in this folder, wait for 1 minute, because 1C:Enterprise checks this folder every minute to find this file.

The user that runs 1C:Enterprise (for server it's normally usr1cv83) should be allowed to write in the technological log folder (/1clogs/folder/path in the logcfg.xml above example).

To receive correct logs, delete all existing files in the technological log folders, run 1C:Enterprise and reproduce the error, close 1C:Enterprise. Compress and send logs to int@1c.com together with the link to the topic where you asked for the support. If the log file will be too large, please inform us and we will provide an FTP access to upload it.

Please DO NOT PUBLISH the technological log or any other CONFIDENTIAL INFORMATION on any public resource, including Google disk, dropbox, etc.

Due to collecting logs takes system resources, after you finished, rename the logcfg.xml file to turn off the technological log.

More details on the technological log configuration you can find in the Administrator Guide. See Chapter 6.13.

 
Subscribe
Users browsing this topic (guests: 1, registered: 0, hidden: 0)
Be the first to know tips & tricks on business application development!

A confirmation e-mail has been sent to the e-mail address you provided .

Click the link in the e-mail to confirm and activate the subscription.