Copy link to clipboard
Copied
Hi,
I am looking for some recommendation and guidance on how to ban AMS from using SSlV3 in with RTMPS clients. I know about that there's a configuration in Adaptor.xml called
"SSLCipherSuite" which should be able to somehow prevent a specific protocol, but the Adobe documentation recommends contacting with Adobe before changing that configuration.
So I was wondering if Adobe has any official recommendation to prevent RTMPS client from using SSLV3. Could someone please point me to the right direction?
Thanks
-Irtiza
Copy link to clipboard
Copied
if you can ensure that all your clients are Flash player running in latest browsers(IE 11, chrome latest and firefox latest, which means all of them are capable of handling TLSv1.2 connections) then i would recommend using following setting
<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:-SSLv3:@STRENGTH</SSLCipherSuite> |
if you have older browsers, then you will have to wait for next dot release.
Copy link to clipboard
Copied
Hi hparmar,
if you have older browsers, then you will have to wait for next dot release.
I have 2 questions.
When will it be released?
How will it support older browsers?
Adding "-SSLv3" disables TLS 1.0 and TLS 1.1 as well, so I hope the next release provides some way of disabling only SSL 3.0.
Thanks,
Hiroki
Copy link to clipboard
Copied
When will it be released?
I can not comment on that...
How will it support older browsers?
Well most likely it will disable SSLv3 support from within the application. So you will not need to change anything in AMS ocnfiguration.
All browsers which work on TLS 1.0 and higher will continue to work as they were working till now.
Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection and you will not be exposed to SSLv3 attack.
Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.
That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..
The steps to compile openssl for AMS are available in public domain..please google and compile openssl for yourself and drop that openssl in your AMS installation.
Openssl consists of two files libeay32.dll and ssleay32.dll on windows AND libssl.so.1.0.0 and libcrypto.so.1.0.0 on Linux...
Copy link to clipboard
Copied
Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection and you will not be exposed to SSLv3 attack.
Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.
That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..
IMHO, TLS_FALLBACK_SCSV is required for both servers and clients to prevent downgrading, thus upgrading OpenSSL to 1.0.1j doesn't fix it, especially for older browsers.
Copy link to clipboard
Copied
Thanks htaniura and hparmar for following up on this.
Having an updated client to use the new SCSV is a good point. I am not sure how this works in this case. Will there an updated flash player to support this SCSV?
So to summarize: Blocking SSL V3 will also block TLS 1.0 and TLS 1.1 seems to be the only option until Adobe releases a patch to block SSL V3 from within the application.
A stupid question: What is a dot release? Is a major release? Is there a way I could ask someone to shed some more light on timelines on banning SSL V3 from both client and server?
Thanks again.
-Irtiza
Copy link to clipboard
Copied
Here is how you can find out what your browser supports..