POODLE Vulnerability and AMS configuration in Adapator.xml

Hi hparmar,

if you have older browsers, then you will have to wait for next dot release.

I have 2 questions.

When will it be released?

How will it support older browsers?

Adding "-SSLv3" disables TLS 1.0 and TLS 1.1 as well, so I hope the next release provides some way of disabling only SSL 3.0.

Thanks,

Hiroki

When will it be released?

I can not comment on that...

How will it support older browsers?

Well most likely it will disable SSLv3 support from within the application. So you will not need to change anything in AMS ocnfiguration.

All browsers which work on TLS 1.0 and higher will continue to work as they were working till now.

Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection  and you will not be exposed to SSLv3 attack.

Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.

That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..

The steps to compile openssl for AMS are available in public domain..please google and compile openssl for yourself and drop that openssl in your AMS installation.

Openssl consists of two files libeay32.dll and ssleay32.dll on windows  AND libssl.so.1.0.0 and libcrypto.so.1.0.0 on Linux...

Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection  and you will not be exposed to SSLv3 attack. Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS. That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..

IMHO, TLS_FALLBACK_SCSV is required for both servers and clients to prevent downgrading, thus upgrading OpenSSL to 1.0.1j doesn't fix it, especially for older browsers.

Thanks htaniura and hparmar for following up on this.

Having an updated client to use the new SCSV is a good point. I am not sure how this works in this case. Will there an updated flash player to support this SCSV?

So to summarize: Blocking SSL V3 will also block TLS 1.0 and TLS 1.1 seems to be the only option until Adobe releases a patch to block SSL V3 from within the application.

A stupid question: What is a dot release? Is a major release? Is there a way I could ask someone to shed some more light on timelines on banning SSL V3 from both client and server?

Thanks again.

-Irtiza