Page 1 of 1

Disabling SSLv3 for GoAnywhere Director Administrator

Posted: Fri Oct 17, 2014 3:37 pm
by Support_Erick
Perform the following steps to disable SSLv3 support for the administrative interface of GoAnywhere Director. This process will mitigate the the exploit known as POODLE (or Padding Oracle On Downgraded Legacy Encryption) for HTTPS connections to the GoAnywhere Director administrator:
  1. Log in to the system where GoAnywhere Director is installed.
  2. Navigate to [INSTALL_DIR]/tomcat/conf where [INSTALL_DIR] is the installation directory of GoAnywhere Director.
  3. Edit the file server.xml
  4. Locate the <Connector /> element that is configured to support SSL.
  5. Add the attribute sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to the <Connector /> element like the following screenshot:
    goanywhere-director-sslv3.png
  6. Save the file and restart the GoAnywhere Director service/subsystem.
The availability of specific versions of SSL/TLS is dependent upon the JSSE provider used by the JVM. For example, the JSSE provider shipped with Oracle JRE 1.6.0 does not include support for TLS 1.1 and TLS 1.2, however Oracle JRE 1.7.0 does include support for TLS 1.1 and TLS 1.2. In order to take advantage of this enhanced security, you may need to configure GoAnywhere to run on an alternate JRE. Consult your JRE documentation for more information on the supported versions of TLS.