cbum Posted October 23, 2014 Posted October 23, 2014 Just talked to FM tech support, they currently have no guidance on this. Anyone have any comment on if/how this affects the server? I just read this post on the FM company forum: Eliminating the POODLE Vulnerability in FMS 13 on OS X Forum post posted October 21, 2014 by JohnDCCIU, last edited October 21, 2014 47 Views Title: Eliminating the POODLE Vulnerability in FMS 13 on OS X Your post: I did a little playing around to see if I could eliminate the POODLE vulnerability in FMS 13 running on OS X. FMS 13 installs its own version of Apache, it doesn't use the version from Apple as it did in previous versions. Out of the box, FMS 13 is vulnerable to POODLE. I turns out that the FMS web SSL functionality is controlled in an Apache config include file at /Library/FileMaker Server/HTTPServer/conf/extra/httpd-ssl.conf I edited that file with TextWrangler and applied the POODLE mitigation (adding "-SSLv3" on the end of the existing "SSLProtocol" line), restarted the server, and poof: no more POODLE vulnerability. My server seems to be fine afterwards, but YMMV, so use at your own risk, and only if you know how to edit config files without mucking things up (and always make a backup of the file before editing regardless). It's uncertain if FMS will eventually overwrite that config (since it manages it itself), either during normal operations or during a future upgrade (unless FMI incorporates that into the next upgrade, which they should), but so far the mitigation has survived a few reboots, so it seems stable. You can test your server's POODLE vulnerability at http://whodig.com/poodle/ or for a more comprehensive SSL test (including POODLE), use https://www.ssllabs.com/ssltest/ John
cbum Posted November 20, 2014 Author Posted November 20, 2014 To answer my own question ;-) Software Update: FileMaker Server 13.0v5 (OS X) Disabled SSL 3.0 in the Apache web server used by FileMaker Server. SSL 3.0 has a known man-in-the-middle attack vulnerability referred to as “Padding Oracle on Downgraded Legacy Encryption” (POODLE).
Recommended Posts
This topic is 3848 days old. Please don't post here. Open a new topic instead.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now