Copy link to clipboard
Copied
Hello,
I want to disable SSLv3 in Adobe Media Server 5.0.6. I've tried to change the cipher suite in Adaptor.xml:
ALL:!ADH:!LOW:!EXP:!MD5:-SSLv3:@STRENGTH
According to sslabs report, it disables TLS 1.0 and TLS 1.1 in addition to SSLv3.
What is the proper way to disable SSLv3 only?
Thanks,
Arnaud
Copy link to clipboard
Copied
Yours is the correct way to disable SSLv3 in Adobe media server..Adobe media server uses rtmps prootcol too(which eventually consumes SSLCipher settings)
However note that Adobe media server also has apache installed into it...SO you might want to disable SSlv3 from Apache too(that is in case you have configured Apache to run https/SSL)...if you have configured apache to run https then you need to change SSLCiphers in the corresponding your httpd*.conf files too.
Copy link to clipboard
Copied
My issue is to keep TLS 1.0 working while disabling the SSLv3 protocol. In Apache I would remove SSLv3 from the SSLProtocol directive and keep SSLCipherSuite untouched. But AMS only seems to expose SSLCipherSuite.
Copy link to clipboard
Copied
Ok...So if you have taken care of Apache then that is Great...And yes, above is the correct way to disable SSLv3 ciphers from list of handshake ciphers in AMS.
I do not think need SSLProtocol tag in AMS, just disable SSSLv3 from list of SSLCipherSuites and that should be good enough to get over \
SSL-Poodle CVE-2014-3566 issue that is doing rounds on internet.
Copy link to clipboard
Copied
If I disable SSLv3 from SSLCipherSuites, then TLSv1 will stop working. I think this is the same issue as http://security.stackexchange.com/a/70842
Copy link to clipboard
Copied
Thanks for the info...
I was using IE 11 and chrome and i did not see this problem...
It is good that you brought this to my notice...
BTW, here is the list of ciphers if i run the above directive through openssl1.0.1j
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
And you are right that all TLSv1 ciphers get filtered out in this process...
BTW, the flash player uses ciphers available in the hosted browser, so i your swf is running inside IE 11 or chrome(latest), it should work fine but if it is hosted in a older browser, then the above will not work for those users...Thanks again for bringing this to my notice.
The following link will tell you how to find out ciphers supported by your browser.