This article applies to:
- Acronis Mobility products
- POODLE SSL 3.0 Vulnerability (CVE-2014-3566), which affects all implementations of SSL 3.0.
Acronis MassTransit
There are two components in a typical installation: the MT Server and the IIS web server.
MT Server
MT Server is not vulnerable to POODLE as long as the TCP/IP Secure incoming call configuration has the "Legacy SSLv2/3" support checkbox OFF (when it is OFF, we only use TLSv1): 
MT Web
For MT Web, you need to modify the IIS configuration to reject SSLv3 connections as described in this Microsoft Technet article:
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu. - On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK.
Note: If this value is present, double-click the value to edit its current value. - Type 00000000 in Binary Editor to set the value of the new key equal to "0".
- Click OK. Restart the computer.
Note: This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
Note: After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.
Acronis Access
There are two components that need mitigation: the Access Tomcat and the Access Gateway.
Access Tomcat
The Access Tomcat server uses the Apache Portable Runtime (APR) for handling SSL connections. APR is built using OpenSSL. Until a new version of APR is available that has the fix in OpenSSL integrated, the solution is to disable support for SSLv3 in the Tomcat file server.xml configuration file and restart the Access Tomcat service.
The specific change is to add SSLProtocol="TLSv1" to the Connector section of the XML file. Below is an example of where it the change can be plugged in. Do not replace the whole block of text -- there are other settings that are specific to your server:
<Connector maxHttpHeaderSize="65536"
maxThreads="150"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
SSLEnabled="true"
SSLProtocol="TLSv1"
SSLCertificateFile="***Access certificate file***"
SSLCertificateKeyFile="***Access key file***"
SSLCertificateChainFile="***Access chain file***" port="443"
SLHonorCipherOrder="true"
address="XXX.XXX.XXX.XXX"
connectionTimeout="-1"
URIEncoding="UTF-8"
/>
Access Gateway
The Access Gateway uses the built-in Windows HTTPS server. Until Microsoft issues a security patch with a fix, the solution is to disable SSLv3 support in the Windows operating system as described by Microsoft in this Microsoft Technet article (see: Disable SSL 3.0 in Windows).