mac POODLE (man in the middle) SSL vulnerability in FMS13 and OSX

[cbum]

Just talked to FM tech support, they currently have no guidance on this. Anyone have any comment on if/how this affects the server?

 

I just read this post on the FM company forum:

 

Eliminating the POODLE Vulnerability in FMS 13 on OS X

Forum post posted October 21, 2014 by JohnDCCIU, last edited October 21, 2014 

 

47 Views

Title:

Eliminating the POODLE Vulnerability in FMS 13 on OS X

Your post:

I did a little playing around to see if I could eliminate the POODLE vulnerability in FMS 13 running on OS X.  FMS 13 installs its own version of Apache, it doesn't use the version from Apple as it did in previous versions.  Out of the box, FMS 13 is vulnerable to POODLE.

I turns out that the FMS web SSL functionality is controlled in an Apache config include file at /Library/FileMaker Server/HTTPServer/conf/extra/httpd-ssl.conf  I edited that file with TextWrangler and applied the POODLE mitigation (adding "-SSLv3" on the end of the existing "SSLProtocol" line), restarted the server, and poof:  no more POODLE vulnerability.  

My server seems to be fine afterwards, but YMMV, so use at your own risk, and only if you know how to edit config files without mucking things up (and always make a backup of the file before editing regardless).  It's uncertain if FMS will eventually overwrite that config (since it manages it itself), either during normal operations or during a future upgrade (unless FMI incorporates that into the next upgrade, which they should), but so far the mitigation has survived a few reboots, so it seems stable.

You can test your server's POODLE vulnerability at http://whodig.com/poodle/ or for a more comprehensive SSL test (including POODLE), use https://www.ssllabs.com/ssltest/

John

 

 

 

[cbum]

To answer my own question ;-)

 

 

 

Software Update: FileMaker Server 13.0v5

 

• (OS X) Disabled SSL 3.0 in the Apache web server used by FileMaker Server. SSL 3.0 has a known man-in-the-middle attack vulnerability referred to as “Padding Oracle on Downgraded Legacy Encryption” (POODLE).