POODLE fix for OpenDJ

Following find a simple bash script to apply the changes recommended in POODLE SSL Bug and OpenDJ.

#!/bin/bash
# Fix for POODLE vulnerability in OpenDJ
# Specifies SSL to be only TLSv1 and higher, not SSLv3
# Created by P Lembo on 2014/10/16

echo "OpenDJ POODLE Fix"
echo "Run this script as OpenDJ service owner!"

DSHOME=/data/app/opendj/ds-user1
DSUSER=opendj
USER_HOME=/data/app/opendj
HANDLER_NAMES=('LDAPS Connection Handler' 'LDAP Connection Handler' 'HTTP Connection Handler')

# Connection Handlers
for i in "${HANDLER_NAMES[@]}"
do

${DSHOME}/bin/dsconfig \
set-connection-handler-prop \
--handler-name "$i" \
--add ssl-protocol:TLSv1 \
--add ssl-protocol:TLSv1.1 \
--add ssl-protocol:TLSv1.2 \
-h localhost \
-p 5444 \
-j ${USER_HOME}/etc/pwd.txt \
-X -n
echo "$i"

done

# Crypto Manager
${DSHOME}/bin/dsconfig \
set-crypto-manager-prop \
--add ssl-protocol:TLSv1 \
--add ssl-protocol:TLSv1.1 \
--add ssl-protocol:TLSv1.2 \
-h localhost \
-p 5444 \
-j ${USER_HOME}/etc/pwd.txt \
-X -n
echo "Crypto Manager"

# Administration Connector
${DSHOME}/bin/dsconfig \
set-administration-connector-prop \
--add ssl-protocol:TLSv1 \
--add ssl-protocol:TLSv1.1 \
--add ssl-protocol:TLSv1.2 \
-h localhost \
-p 5444 \
-j ${USER_HOME}/etc/pwd.txt \
-X -n
echo "Administration Connector"

echo "End of file"
This entry was posted in Directory, Security, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).