Jamf Nation Community

ttyler · ‎11-04-2014

Hi All,

Just thought I would put this up for anyone running into this issue.

JAMF have told us how the JSS is to be more secure by changing the ciphers option within the server.xml file. The details of the change are here.
https://jamfnation.jamfsoftware.com/article.html?id=382

This is only applied to new JSS's but not updated JSS's. If you install a clean 9.61 devices will enroll, connect to and can even log in via Safari. But when using Casper Focus from an iPad, it will throw back a "Connection Failed SSL Error, the server could not establish a secure connection to the JSS".

Until we see an update to Casper Focus we will have to manually drop our security back down to the Pre-POODLE fix.

Open your JSS installation Directory
Unix - /usr/local/jss/
Mac - /Library/JSS/
Windows - C:Program FilesJSS

Navigate from your JSS Directory to the file Tomcat > conf > server.xml

Note: If you are on an OS X box please edit using a terminal text editor.
Second Note: If you do not know how to copy an entire line within a UNIX text editor and comment it out as a backup, duplicate your entire server.xml file before starting the following...

Open this file and find the following attribute from the Connector element for port="8443" after the sslProtocol="TLS" attribute (this is added as part of 9.61 upgrade installation for all those on 9.6 or below):
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
This element is part of the POODLE fix but can remain in place.

Next move along the line and add the following within the ciphers element:
SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,

Your ciphers Element should look like this now;

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Restart Tomcat and Casper Focus should now work.

During the Upgrade to a 9.6 or below server the ciphers are not modified, however with a clean install the ciphers do not contain the SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA options.

jason_vanzanten · ‎11-05-2014

@ttyler:

Thanks for bringing this to our attention. We took a closer look at the reported issue with Casper Focus and are able to report the following results:

As you point out, the reported behavior is not related to the POODLE fix that was included in the default server.xml file that is shipped with JSS version 9.61 or later. The primary change for POODLE was the addition of the sslEnabledProtocols attribute to only support Transport Layer Security (TLS) and disable support for SSL version 3.0. Standard installations of JSS version 9.6 or earlier still allow SSL version 3.0 connections because the default server.xml file does not include the sslEnabledProtocols attribute:
```
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
```
Our testing indicates that the reported issue with Casper Focus is most likely caused by the JSS running on a server that has Java 1.8 installed. The JSS is not currently tested for compatibility with Java 1.8, as indicated by the server requirements on page 22 of the Casper Suite Administrator's Guide 9.61:
You can host the JSS on any server that meets the following requirements:
1. Java 1.6 or Java 1.7
2. MySQL 5.1 or later
3. Apache Tomcat 6, 7, or 8 (Tomcat 7 is recommended)
The ciphers attribute was modified to remove support for certain cipher suites due to known vulnerabilities with the RC4 cipher:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
Therefore, it is not recommended to add support for RC4 ciphers back to the default server.xml file. Additional information about "Configuring Supported Ciphers for Tomcat HTTPS Connections" can be found in the following Knowledge Base article on JAMF Nation:
https://jamfnation.jamfsoftware.com/article.html?id=384

Let us know if there are still any problems with Casper Focus when the JSS is running on a server that meets the requirements listed in the Casper Suite Administrator's Guide, including running Java 1.6 or Java 1.7.

Thanks,
Jason Van Zanten
Product Specialist, Information Security
JAMF Software

View solution in original post

jason_vanzanten · ‎11-05-2014

@ttyler:

Thanks for bringing this to our attention. We took a closer look at the reported issue with Casper Focus and are able to report the following results:

As you point out, the reported behavior is not related to the POODLE fix that was included in the default server.xml file that is shipped with JSS version 9.61 or later. The primary change for POODLE was the addition of the sslEnabledProtocols attribute to only support Transport Layer Security (TLS) and disable support for SSL version 3.0. Standard installations of JSS version 9.6 or earlier still allow SSL version 3.0 connections because the default server.xml file does not include the sslEnabledProtocols attribute:
```
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
```
Our testing indicates that the reported issue with Casper Focus is most likely caused by the JSS running on a server that has Java 1.8 installed. The JSS is not currently tested for compatibility with Java 1.8, as indicated by the server requirements on page 22 of the Casper Suite Administrator's Guide 9.61:
You can host the JSS on any server that meets the following requirements:
1. Java 1.6 or Java 1.7
2. MySQL 5.1 or later
3. Apache Tomcat 6, 7, or 8 (Tomcat 7 is recommended)
The ciphers attribute was modified to remove support for certain cipher suites due to known vulnerabilities with the RC4 cipher:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566
Therefore, it is not recommended to add support for RC4 ciphers back to the default server.xml file. Additional information about "Configuring Supported Ciphers for Tomcat HTTPS Connections" can be found in the following Knowledge Base article on JAMF Nation:
https://jamfnation.jamfsoftware.com/article.html?id=384

Let us know if there are still any problems with Casper Focus when the JSS is running on a server that meets the requirements listed in the Casper Suite Administrator's Guide, including running Java 1.6 or Java 1.7.

Thanks,
Jason Van Zanten
Product Specialist, Information Security
JAMF Software

ttyler · ‎11-05-2014

Thanks for the response Jason. I missed that article posted last Friday about the ciphers.

By the way is it recommended that all Existing JSS installations remove the RC4 ciphers and update their server.xml connectors? (By Asking that question I am assuming I will be pointed to another article I missed)

Thanks
Tomos

cbrewer · ‎11-05-2014

@ttyler

https://jamfnation.jamfsoftware.com/article.html?id=384

bvrooman · ‎06-18-2015

I'm running into this issue, also running Java 1.8, and my biggest concern is that Java 1.8 is now supported by the JSS. We're now running a completely-supported configuration and it seems that compatibility with Casper Focus was silently dropped.

Has anyone had success with getting around this issue on JSS 9.72/Java 8u45?

cbrewer · ‎06-18-2015

@bvrooman

Known issue. Either roll back to Java 7 or wait for 9.73. I rolled back a few weeks ago, but I'd expect 9.73 to be out any day at this point. Defect D-008008.

Jamf Nation Community

Casper Focus 9.61 (14102301) fails to connect to Clean 9.61 JSS - SSL Error