Question & Answer
How do you enable SSL V3, which is disabled by default due to a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack?
A new environment variable, CCASE_ENABLE_SSLV3 can be set to TRUE to enable SSL V3 (default: FALSE). If this environment variable is set on a client, then the following integrations are allowed to use SSL V3 negotiation with a web server:
- The UCM integration with ClearQuest
- The Base ClearCase integration with ClearQuest
- CMI integrations with any OSLC provider
If CCASE_ENABLE_SSLV3 is not set, SSL V3 is disallowed. This means that the integrations fail if the web server is configured to allow only SSL V3.
In addition, for the (Perl trigger-based) Base ClearCase integration with ClearQuest, a new configuration option in the config.pl file can be set to enable SSLv3:
# &SetConfigParm("CQCC_SERVER_SSLV3", "TRUE");
Note: CQCC_SERVER_SSLV3 defaults to FALSE (SSL V3 is disabled).
For the perl triggers, if either CCASE_ENABLE_SSLV3 or CQCC_SERVER_SSLV3 is set, then SSL V3 is enabled when connecting to the ClearQuest server.
For general information about the SSL V3 vulnerability and ClearCase, refer to this bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21687347.
08 August 2018