Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

POODLE (man in the middle) SSL vulnerability in FMS13 and OSX


This topic is 3656 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Posted

Just talked to FM tech support, they currently have no guidance on this. Anyone have any comment on if/how this affects the server?

 

I just read this post on the FM company forum:

 

Eliminating the POODLE Vulnerability in FMS 13 on OS X

Forum post posted October 21, 2014 by JohnDCCIU, last edited October 21, 2014 
 
47 Views
Title:
Eliminating the POODLE Vulnerability in FMS 13 on OS X
Your post:

I did a little playing around to see if I could eliminate the POODLE vulnerability in FMS 13 running on OS X.  FMS 13 installs its own version of Apache, it doesn't use the version from Apple as it did in previous versions.  Out of the box, FMS 13 is vulnerable to POODLE.

I turns out that the FMS web SSL functionality is controlled in an Apache config include file at /Library/FileMaker Server/HTTPServer/conf/extra/httpd-ssl.conf  I edited that file with TextWrangler and applied the POODLE mitigation (adding "-SSLv3" on the end of the existing "SSLProtocol" line), restarted the server, and poof:  no more POODLE vulnerability.  

My server seems to be fine afterwards, but YMMV, so use at your own risk, and only if you know how to edit config files without mucking things up (and always make a backup of the file before editing regardless).  It's uncertain if FMS will eventually overwrite that config (since it manages it itself), either during normal operations or during a future upgrade (unless FMI incorporates that into the next upgrade, which they should), but so far the mitigation has survived a few reboots, so it seems stable.

You can test your server's POODLE vulnerability at http://whodig.com/poodle/ or for a more comprehensive SSL test (including POODLE), use https://www.ssllabs.com/ssltest/

John

 

 

 

  • 4 weeks later...
Posted

To answer my own question ;-)

 

 

 

Software Update: FileMaker Server 13.0v5

 

  • (OS X) Disabled SSL 3.0 in the Apache web server used by FileMaker Server. SSL 3.0 has a known man-in-the-middle attack vulnerability referred to as “Padding Oracle on Downgraded Legacy Encryption” (POODLE).

This topic is 3656 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.