Hello all, we are discussing the technical approach for resolving this issue now.

Don


Don Hamparian
Sr. Product Manager,
EZproxy and Identity Management
OCLC
***@oclc.org
Voice 614-764-6017
Skype donhamp2



-----Original Message-----
From: Wimmer Christian [mailto:***@ub.uni-muenchen.de]
Sent: Wednesday, October 15, 2014 8:26 AM
To: EZProxy discussion list
Subject: AW: [ezproxy] SSL v3 support / poodle

Sadly, there is no "Option DisableSSLv3". So i guess we are stuck with this vulnerability until we get a new ezproxy version which, hopefully, contains an option to disable SSLv3 somehow.


--
Christian Wimmer
Ludwig-Maximilians-Universität München
University Library
IT-Department

Geschwister-Scholl-Platz 1, 80359 München, Germany
Phone: +49 89 2180-6141
Email: ***@ub.uni-muenchen.de




-----Ursprüngliche Nachricht-----
Von: Julien Savoie [mailto:***@usainteanne.ca]
Gesendet: Mittwoch, 15. Oktober 2014 08:39
An: EZProxy discussion list
Betreff: [ezproxy] SSL v3 support / poodle

Worth mentioning that ezproxy by default has SSLv3 support and is impacted by http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

We've been running ezproxy with:
SSLCipherSuite HIGH:RC4-SHA:!ADH:!aNULL

$ sslscan proxy:2443 | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA

So now would be a good time to turn off SSLv3 in ezproxy. Unfortunately adding !SSLv3 or -SSLv3 seems to disable ALL of the available ciphers.


---
You are currently subscribed to ezproxy as: ***@ub.uni-muenchen.de.
To unsubscribe, send request to ***@itec.suny.edu


---
You are currently subscribed to ezproxy as: ***@oclc.org.
To unsubscribe, send request to ***@itec.suny.edu

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@i

Don,

When you are working on this, can it also be recommended to support the Moderate or at least the Intermediate compatibility SSL ciphers as listed here: https://wiki.mozilla.org/Security/Server_Side_TLS

Thanks!

Tom

-----Original Message-----
From: Hamparian,Don [mailto:***@oclc.org]
Sent: Wednesday, October 15, 2014 10:56 AM
To: EZProxy discussion list
Subject: RE: [ezproxy] SSL v3 support / poodle

Hello all, we are discussing the technical approach for resolving this issue now.

Don


Don Hamparian
Sr. Product Manager,
EZproxy and Identity Management
OCLC
***@oclc.org
Voice 614-764-6017
Skype donhamp2



-----Original Message-----
From: Wimmer Christian [mailto:***@ub.uni-muenchen.de]
Sent: Wednesday, October 15, 2014 8:26 AM
To: EZProxy discussion list
Subject: AW: [ezproxy] SSL v3 support / poodle

Sadly, there is no "Option DisableSSLv3". So i guess we are stuck with this vulnerability until we get a new ezproxy version which, hopefully, contains an option to disable SSLv3 somehow.


--
Christian Wimmer
Ludwig-Maximilians-Universität München
University Library
IT-Department

Geschwister-Scholl-Platz 1, 80359 München, Germany
Phone: +49 89 2180-6141
Email: ***@ub.uni-muenchen.de




-----Ursprüngliche Nachricht-----
Von: Julien Savoie [mailto:***@usainteanne.ca]
Gesendet: Mittwoch, 15. Oktober 2014 08:39
An: EZProxy discussion list
Betreff: [ezproxy] SSL v3 support / poodle

Worth mentioning that ezproxy by default has SSLv3 support and is impacted by http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

We've been running ezproxy with:
SSLCipherSuite HIGH:RC4-SHA:!ADH:!aNULL

$ sslscan proxy:2443 | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA

So now would be a good time to turn off SSLv3 in ezproxy. Unfortunately adding !SSLv3 or -SSLv3 seems to disable ALL of the available ciphers.


---
You are currently subscribed to ezproxy as: ***@ub.uni-muenchen.de.
To unsubscribe, send request to ***@itec.suny.edu


---
You are currently subscribed to ezproxy as: ***@oclc.org.
To unsubscribe, send request to ***@itec.suny.edu

---
You are currently subscribed to ezproxy as: ***@fit.edu.
To unsubscribe, send request to ***@itec.suny.edu

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.

ECDHE would require statically linking a newer version of OpenSSL. It
would also be nice if SSLCipherSuite could be defined separately for the
client/server parts of the proxy.



---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Bonus points if an out-of-the-box configuration of EZproxy could get an “A” rating at www.ssllabs.com.

Just to add to the joy, I see new versions of OpenSSL have been released to
address more bugs:

http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/
https://www.openssl.org/news/

Jim
--
Jim Adamson
Digital York Technical specialist
Information
LFA/237, Harry Fairhurst building
University of York
Heslington, York YO10 5DD
+44 (0)1904 323859
My calendar: http://bit.ly/mBy6U8
Library Footprints Knowledge Base & Enquiries: http://bit.ly/i4CfCa



Email Disclaimer: http://www.york.ac.uk/docs/disclaimer/email.htm
<http://bit.ly/ghXLMH>

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Not to sound too much like a broken record, but this is a strong argument for dynamically linking against the system’s OpenSSL library so that it stops being OCLC’s burden to keep the library updated, and shift that back to where it belongs: the OS vendor.
--
Andrew Anderson, Director of Development, Library and Information Resources Network, Inc.
http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

I agree with Andrew, dynamically linking the against the systems OpenSSL library should be a high priority feature request.

-Brian

Brian McBride
Head of Application Development
J. Willard Marriott Library

O: 801.585.7613
F: 801.585.5549
***@utah.edu<mailto:***@utah.edu>

On Oct 16, 2014, at 5:34 AM, Andrew Anderson <***@lirn.net<mailto:***@lirn.net>> wrote:


Not to sound too much like a broken record, but this is a strong argument for dynamically linking against the system’s OpenSSL library so that it stops being OCLC’s burden to keep the library updated, and shift that back to where it belongs: the OS vendor.

--
Andrew Anderson, Director of Development, Library and Information Resources Network, Inc.
http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes

On Oct 16, 2014, at 6:05, Jim Adamson <***@york.ac.uk<mailto:***@york.ac.uk>> wrote:

Just to add to the joy, I see new versions of OpenSSL have been released to address more bugs:

http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/
https://www.openssl.org/news/

Jim

On 15 October 2014 15:56, Hamparian,Don <***@oclc.org<mailto:***@oclc.org>> wrote:
Hello all, we are discussing the technical approach for resolving this issue now.

Don


Don Hamparian
Sr. Product Manager,
EZproxy and Identity Management
OCLC
***@oclc.org<mailto:***@oclc.org>
Voice 614-764-6017
Skype donhamp2



-----Original Message-----
From: Wimmer Christian [mailto:***@ub.uni-muenchen.de<mailto:***@ub.uni-muenchen.de>]
Sent: Wednesday, October 15, 2014 8:26 AM
To: EZProxy discussion list
Subject: AW: [ezproxy] SSL v3 support / poodle

Sadly, there is no "Option DisableSSLv3". So i guess we are stuck with this vulnerability until we get a new ezproxy version which, hopefully, contains an option to disable SSLv3 somehow.


--
Christian Wimmer
Ludwig-Maximilians-Universität München
University Library
IT-Department

Geschwister-Scholl-Platz 1, 80359 München, Germany
Phone: +49 89 2180-6141
Email: ***@ub.uni-muenchen.de<mailto:***@ub.uni-muenchen.de>




-----Ursprüngliche Nachricht-----
Von: Julien Savoie [mailto:***@usainteanne.ca<mailto:***@usainteanne.ca>]
Gesendet: Mittwoch, 15. Oktober 2014 08:39
An: EZProxy discussion list
Betreff: [ezproxy] SSL v3 support / poodle

Worth mentioning that ezproxy by default has SSLv3 support and is impacted by http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

We've been running ezproxy with:
SSLCipherSuite HIGH:RC4-SHA:!ADH:!aNULL

$ sslscan proxy:2443 | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA

So now would be a good time to turn off SSLv3 in ezproxy. Unfortunately adding !SSLv3 or -SSLv3 seems to disable ALL of the available ciphers.


---
You are currently subscribed to ezproxy as: ***@ub.uni-muenchen.de<mailto:***@ub.uni-muenchen.de>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>


---
You are currently subscribed to ezproxy as: ***@oclc.org<mailto:***@oclc.org>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>

---
You are currently subscribed to ezproxy as: ***@york.ac.uk<mailto:***@york.ac.uk>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>



--
Jim Adamson
Digital York Technical specialist
Information
LFA/237, Harry Fairhurst building
University of York
Heslington, York YO10 5DD
+44 (0)1904 323859
My calendar: http://bit.ly/mBy6U8
Library Footprints Knowledge Base & Enquiries: http://bit.ly/i4CfCa

[Loading Image...]

Email Disclaimer: http://www.york.ac.uk/docs/disclaimer/email.htm<http://bit.ly/ghXLMH>

You are currently subscribed to ezproxy as: ***@lirn.net<mailto:***@lirn.net>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>


You are currently subscribed to ezproxy as: ***@utah.edu<mailto:***@utah.edu>.
To unsubscribe, send request to ***@itec.suny.edu<mailto:***@itec.suny.edu>


---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Yes, and while the topic is current, separating EZProxy from the web
server and defining it as an Apache module, would be an excellent design
change. It would provide much more flexibility in running it, allowing
EZProxy to work in concert with other Apache modules, such as mod_security.

Graham
--
Graham Stewart
Network and Storage Services Manager
Information Technology Services
University of Toronto Libraries
416-978-6337
---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

The worst kept secret of rewriting proxies is that as of Apache 2.4, the only thing that really separates EZproxy from Apache is the specialized vendor integration components and the configuration file format (which can be viewed as a strength in some cases and a weakness in others).

Depending on your vendor mix, it is possible today to use Apache instead of EZproxy as your rewriting proxy server.

Just imagine: a mature and robust dual-stack (IPv4/IPv6) platform, integrated caching, just about any 3rd party authentication integration you could want, the ability to integrate other applications into the same server (CMS, etc), better static file serving, a security layer option, a server that does not shutdown from mysterious threading timeouts, complete documentation, the list goes on and on.

Should OCLC decide to open source EZproxy, I know that myself and others on this list would dive into it with abandon to merge the best of Apache and the best of EZproxy, and the result would be a tremendous leap forward.

</bully pulpit>
--
Andrew Anderson, Director of Development, Library and Information Resources Network, Inc.
http://www.lirn.net/ | http://www.twitter.com/LIRNnotes | http://www.facebook.com/LIRNnotes
---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

I actually recall being forced to switch from apache mod_proxy to
ezproxy by a vendor specific demand/issue in 2006.
IPv6 in ezproxy would be nice. Ezproxy is one of our few externally
facing services without an IPv6 address associated.
Or conversely merge the vendor specific bits into apache, which I can
understand they might be nervous about. I would settle for being able
to use my own OpenSSL library. I do rather like the idea of a
mod_ezproxy module. It might actually make things easier on OCLC's side
with a smaller codebase to manage.




---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Not sure because then they would need to maintain different versions of mod_ezproxy for Apache 2.2, 2.4, etc. and sysadmins would also need to update Apache on a regular basis with all the trouble it can cause. Updating EZproxy is straightforward, you just change a binary.

Sébastien

________________________________________
De : Julien Savoie [***@usainteanne.ca]
Date d'envoi : 16 octobre 2014 11:02
À : EZProxy discussion list
Objet : Re: [ezproxy] SSL v3 support / poodle
I actually recall being forced to switch from apache mod_proxy to
ezproxy by a vendor specific demand/issue in 2006.
IPv6 in ezproxy would be nice. Ezproxy is one of our few externally
facing services without an IPv6 address associated.
Or conversely merge the vendor specific bits into apache, which I can
understand they might be nervous about. I would settle for being able
to use my own OpenSSL library. I do rather like the idea of a
mod_ezproxy module. It might actually make things easier on OCLC's side
with a smaller codebase to manage.




---
You are currently subscribed to ezproxy as: ***@bibl.ulaval.ca.
To unsubscribe, send request to ***@itec.suny.edu


---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Is there any ETA on an update to patch this? Our campus security person
is getting a bit concerned...


John Wohlers
Library Technology Coordinator
Waubonsee Community College
***@waubonsee.edu


CONFIDENTIALITY NOTE: This message, including any attachment(s), is
intended only for the use of the individual or entity to which it is
addressed and may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If the reader of this
message is not the intended recipient, or the employee or agent
responsible for delivery of the message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of
this communication is prohibited. If you have received this message in
error, please notify the Technical Assistance Center immediately by
telephone at 630-466-4357 and then delete the message from your system.
Thank you.
wrote:

Hello all, we are discussing the technical approach for resolving this
issue now.

Don


Don Hamparian
Sr. Product Manager,
EZproxy and Identity Management
OCLC
***@oclc.org
Voice 614-764-6017
Skype donhamp2



-----Original Message-----
From: Wimmer Christian [mailto:***@ub.uni-muenchen.de]
Sent: Wednesday, October 15, 2014 8:26 AM
To: EZProxy discussion list
Subject: AW: [ezproxy] SSL v3 support / poodle

Sadly, there is no "Option DisableSSLv3". So i guess we are stuck with
this vulnerability until we get a new ezproxy version which, hopefully,
contains an option to disable SSLv3 somehow.


--
Christian Wimmer
Ludwig-Maximilians-UniversitÀt MÌnchen
University Library
IT-Department

Geschwister-Scholl-Platz 1, 80359 MÃŒnchen, Germany
Phone: +49 89 2180-6141
Email: ***@ub.uni-muenchen.de




-----UrsprÃŒngliche Nachricht-----
Von: Julien Savoie [mailto:***@usainteanne.ca]
Gesendet: Mittwoch, 15. Oktober 2014 08:39
An: EZProxy discussion list
Betreff: [ezproxy] SSL v3 support / poodle

Worth mentioning that ezproxy by default has SSLv3 support and is
impacted by
http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

We've been running ezproxy with:
SSLCipherSuite HIGH:RC4-SHA:!ADH:!aNULL

$ sslscan proxy:2443 | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA

So now would be a good time to turn off SSLv3 in ezproxy.
Unfortunately adding !SSLv3 or -SSLv3 seems to disable ALL of the
available ciphers.


---
You are currently subscribed to ezproxy as:
***@ub.uni-muenchen.de.
To unsubscribe, send request to ***@itec.suny.edu


---
You are currently subscribed to ezproxy as: ***@oclc.org.
To unsubscribe, send request to ***@itec.suny.edu

---
You are currently subscribed to ezproxy as: ***@waubonsee.edu.
To unsubscribe, send request to ***@itec.suny.edu

---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu