0 Replies Latest reply on Oct 21, 2014 6:36 AM by JohnDCCIU

    Eliminating the POODLE Vulnerability in FMS 13 on OS X

    JohnDCCIU

      Title

      Eliminating the POODLE Vulnerability in FMS 13 on OS X

      Your post

      I did a little playing around to see if I could eliminate the POODLE vulnerability in FMS 13 running on OS X.  FMS 13 installs its own version of Apache, it doesn't use the version from Apple as it did in previous versions.  Out of the box, FMS 13 is vulnerable to POODLE.

      I turns out that the FMS web SSL functionality is controlled in an Apache config include file at /Library/FileMaker Server/HTTPServer/conf/extra/httpd-ssl.conf  I edited that file with TextWrangler and applied the POODLE mitigation (adding "-SSLv3" on the end of the existing "SSLProtocol" line), restarted the server, and poof:  no more POODLE vulnerability.  

      My server seems to be fine afterwards, but YMMV, so use at your own risk, and only if you know how to edit config files without mucking things up (and always make a backup of the file before editing regardless).  It's uncertain if FMS will eventually overwrite that config (since it manages it itself), either during normal operations or during a future upgrade (unless FMI incorporates that into the next upgrade, which they should), but so far the mitigation has survived a few reboots, so it seems stable.

      You can test your server's POODLE vulnerability at http://whodig.com/poodle/ or for a more comprehensive SSL test (including POODLE), use https://www.ssllabs.com/ssltest/

      John