mac | pc TA14-098A: OpenSSL 'Heartbleed' vulnerability

[MacUSA]

OpenSSL was installed with FileMaker Server.  Will FileMaker be issuing an updater to OpenSSL?  If so, will it go back to earlier versions?  If not, will the publicly available OpenSSL updater update the FileMaker installed version?

[Steven H. Blackwell]

FileMaker, Inc. is aware of this issue. Stay tuned for more information.

 

Steven

[Mark Scott]

Looks like we've now got an answer and hotfix from FM Inc.  Hotfix is for Server 13 only; per the first link, Server 12 and earlier are not vulnerable.

 

Mark

[Steven H. Blackwell]

I would recommend that all review the updated information from FileMaker, Inc. on this matter:

 

http://thefmkb.com/13386 Actions 2 and 3 at end of article.

 

Steven

[Steven H. Blackwell]

There is a new updater out:  FileMaker Server 13.0v1a.

 

See:

 

http://thefmkb.com/13386

 

This Tech Info has been updated with additional information.

 

Steven

[Rick Whitelaw]

I updated today without incident.

[JohnDCCIU]

Unfortunately, I updated and now FM clients can no longer see hosted databases with the SSL connections enabled.  Here's what I posted in the FileMaker Support forums; maybe someone here has seen this or has an idea on how to resolve it?

 

I've been running FMS 13v1 successfully for awhile on OS X 10.9 (now at 10.9.2, fully patched), with "Require Secure Connections" checkmarked in the Database Server section and a commercial SSL cert from GoDaddy installed with fmsadmin.

 

I applied the first "emergency fix" that FMI put out, which involved copying files to certain places on the server.  That also worked fine.

 

I saw that they released a real updater and applied that tonight....and that seems to have broken something.  Now if "Require Secure Connections" is checkmarked, hosted databases do not appear in the FM client (even a client running on the same machine as the server).  The server shows up under "Local Hosts", but no databases appear.

 

All databases show as opened and Normal on the server, and if I uncheck "Require Secure Connections" and restart the server, all the databases appear just fine.

 

Note that I'm not talking about Web Services:  this is the core fmnet protocol functionality.  However, it also is broken (The server test page for both WebDirect and PHP fail) when "Require Secure Connections" is enabled in the core server, and it starts working again when "Require Secure Connections" is unchecked.

 

At the suggestion of one of the moderators on the FileMaker Discussion Forums, I generated a new key with the CERTIFICATE command, revoked and re-keyed the cert, then imported it again, rebooted the box, but that didn't fix the issue either.

 

Is anyone else seeing this?  Any ideas on a fix?  I wouldn't want to run my server without SSL security for very long.

[Steven H. Blackwell]

Have you applied the updaters to FileMaker Pro itself?

 

http://thefmkb.com/13407

 

Steven

[Claus Lavendt]

John, check to see if your certificate is supported by FMS. The behavior you see, is similar to some tests I did with a wildcard certificate, which is not supported by FMS13.

I am not sure, if the list of supported certificates has changed for this v1a update.

 

Another thing to notice, is that you should anyways, re-issue the certificate for security measures.

That might bring back the databases in SSL mode.

 

You can find the list of supported certificates here:

http://help.filemaker.com/app/answers/detail/a_id/11413/~/list-of-supported-ssl-certificate-vendors-and-ssl-certificate-types-for