Skip to main content
B
borno13
Participating Frequently
October 20, 2014
Question

POODLE Vulnerability and AMS configuration in Adapator.xml

  • October 20, 2014
  • 2 replies
  • 1170 views

Hi,

I am looking for some recommendation and guidance on how to ban AMS from using SSlV3 in with RTMPS clients. I know about that there's a configuration in Adaptor.xml called

"SSLCipherSuite" which should be able to somehow prevent a specific protocol, but the Adobe documentation recommends contacting with Adobe before changing that configuration.

So I was wondering if Adobe has any official recommendation to prevent RTMPS client from using SSLV3. Could someone please point me to the right direction?

Thanks

-Irtiza

This topic has been closed for replies.

2 replies

H
Adobe Employee
hparmar
Adobe Employee
October 20, 2014

Here is how you can find out what your browser supports..

SSL Cipher Suites Supported By Your Browser

H
Adobe Employee
hparmar
Adobe Employee
October 20, 2014

if you can ensure that all your clients are Flash player running in latest browsers(IE 11, chrome latest and firefox latest, which means all of them are capable of handling TLSv1.2 connections) then i would recommend using following setting

<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:-SSLv3:@STRENGTH</SSLCipherSuite>

if you have older browsers, then you will have to wait for next dot release.

H
htaniura
Participant
October 22, 2014

Hi hparmar,

if you have older browsers, then you will have to wait for next dot release.

I have 2 questions.

When will it be released?

How will it support older browsers?

Adding "-SSLv3" disables TLS 1.0 and TLS 1.1 as well, so I hope the next release provides some way of disabling only SSL 3.0.

Thanks,

Hiroki

H
Adobe Employee
hparmar
Adobe Employee
October 22, 2014

When will it be released?

I can not comment on that...


How will it support older browsers?

Well most likely it will disable SSLv3 support from within the application. So you will not need to change anything in AMS ocnfiguration.

All browsers which work on TLS 1.0 and higher will continue to work as they were working till now.

Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection  and you will not be exposed to SSLv3 attack.

Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.

That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..

The steps to compile openssl for AMS are available in public domain..please google and compile openssl for yourself and drop that openssl in your AMS installation.

Openssl consists of two files libeay32.dll and ssleay32.dll on windows  AND libssl.so.1.0.0 and libcrypto.so.1.0.0 on Linux...

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices