12 Replies Latest reply on Nov 12, 2014 2:03 PM by disabled_ntaylor

    FMS 13v1a breaks FMS when "Require Secure Connections" is check marked

    JohnDCCIU

      Title

      FMS 13v1a breaks FMS when "Require Secure Connections" is check marked

      Your post

           I've been running FMS 13v1 successfully for awhile on OS X 10.9, with "Require Secure Connections" checkmarked in the Database Server section and a commercial SSL cert from GoDaddy installed with fmsadmin.

           I applied the first "emergency fix" that FMI put out, which involved copying files to certain places on the server.  That also worked fine.

           I saw that they released a real updater and applied that tonight....and that seems to have broken something.  Now if "Require Secure Connections" is checkmarked, hosted databases do not appear in the FM client (even a client running on the same machine as the server).  The server shows up under "Local Hosts", but no databases appear.

           All databases show as opened and Normal on the server, and if I uncheck "Require Secure Connections" and restart the server, all the databases appear just fine.

           Note that I'm not talking about Web Services:  this is the core fmnet protocol functionality.  However, it also is broken (The server test page for both WebDirect and PHP fail) when "Require Secure Connections" is enabled in the core server, and it starts working again when "Require Secure Connections" is unchecked.

           Is anyone else seeing this?  Any ideas on a fix?  I wouldn't want to run my server without SSL security for very long.

            

        • 1. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked

          JohnDCCIU: 

               Thank you for the post.

                

               After verifying the update was the default SSL certificate replaced?

                

               The following is from Software Update: FileMaker Server 13.0v1a:

                

          Replacing the default SSL certificate

               After applying this software, if you do not have a signed SSL certificate that matches your specific server name, request a certificate from a trusted certificate authority (CA) supported by FileMaker, Inc.  

                

               If you previously obtained a signed SSL certificate, contact your CA to revoke your existing certificate and request a new certificate.

               For instructions, see the FileMaker Server Help topic “Securing your data.”

               For information on supported CAs, see the FileMaker Knowledge Base:  

                

          List of supported SSL certificate vendors and SSL certificate types for FileMaker products

          What types of SSL certificates are supported by FileMaker products?

                

          The FileMaker Security Guide

                

               TSFalcon

               FileMaker, Inc.

          • 2. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
            JohnDCCIU

                 I didn't revoke and request a new one, since I only got it a few weeks ago, and I think that section is more of a "best practice" thing (because of the potential exposure of private keys via Heartbleed) rather than a technical requirement.

                 But I suppose it's possible that FMS is actually checking cert dates or looking for older private keys and deliberately breaking itself if it finds something before a certain date....seems unlikely but who knows.  I'll give it a try and post a reply with the results. 

            • 3. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
              JohnDCCIU

                   Unfortunately, a new cert (revoked and re-keyed, based on a new private key generated by the CERTIFICATE command) didn't solve the issue.

                   I tried restarting the FMS and the server box itself, but to no avail:  when "Require Secure Connections" is checkmarked, the FM client (I tried 13.0v2 and v3) can't see any databases hosted on the server.  As soon as I uncheck "Require Secure Connections", all is well.

                   The same cert is working fine securing https traffic to the web side, and it was useful to check that the new cert was definitely in place, so the new cert working and valid (plus the CERTIFICATE IMPORT command liked it, of course), but it hasn't solved this issue for me.

                   Any other ideas?

              • 4. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked

                JohnDCCIU: 

                     Thank you for the reply.

                      

                     To confirm, you are using one of the specific certificates listed in the article above? (See screenshot).

                      

                     Also, was this working prior to the update?

                      

                     TSFalcon

                     FileMaker, Inc.

                • 5. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
                  JohnDCCIU

                       Thanks for the reply.

                       I'm using a GoDaddy cert, from GoDaddy's CA (not Starfield's).

                       This was all working before the 13.0v1a update.  I had performed the previous incarnation of the Heartbleed patch, which involved manually copying framework files, and it seemed to be working fine after that.

                       As part of doing the FMS 13.0v1a update, I also performed the 2014-002 OS X Security Update (http://support.apple.com/kb/HT6207).

                       Thanks,

                       John

                        

                        

                  • 6. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
                    fndimarco

                         I am having a similar problem with a GoDaddy certificate as well -- on a clean installation of Windows Server 2008 with a clean installation of the updated FMS, when I import a re-keyed post-Heartbleed GoDaddy certificate, I can no longer connect either via WebDirect or FMP to my files if the
                         "Require Secure Connections" checkbox is checked. Uncheck it, reboot -- and the files appear again and are accessible.

                    • 7. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked

                      JohnDCCIU & Frederick Dimarco: 

                           Thank you for the replies.

                            

                           I lack the ability to test this further without the certificates. If you are willing, Testing would like to try a setup using your certificates.

                            

                           If so, please check your inbox at the top of this page for instructions on how to submit the file for testing.

                            

                           TSFalcon

                           FileMaker, Inc.

                      • 8. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
                        MatthewHenderson

                        I had this same issue with three FileMaker 13 servers. It worked initially v0 but after the heart bleed fixes never worked again. I tried using the exact Go Daddy cert filemaker specifies but nothing works. FileMaker blamed the certificate, blamed being on 2008 Enterprise all red hearings. The only solution is:

                        Open the command prompt window using Run as Administrator.

                        From the command line enter: fmsadmin CERTIFICATE CREATE server_name.xxx.com

                        The CERTIFICATE CREATE command is used to create the certificate request file that you send to the certificate authority (serverRequest.pem), plus an encrypted private key file that is used by the CERTIFICATE IMPORT command (serverKey.pem).

                        The serverRequest.pem is located at: F:\Program Files\Filemaker\Filemaker Server\Cstore

                        Send the serverRequest.pem to a Certificate Authority

                        Save the returned signed certificate to F:\Certs

                        Use the CERTIFICATE IMPORT command to create a custom server .pem file that combines the certificate file that you get back from the certificate authority with the encrypted private key file created by the CERTIFICATE

                        Open the command prompt window using Run as Administrator.

                        fmsadmin certificate import F:\certs\signedCertificate.crt

                        Stop Filemaker server service

                        Remove the serverRequest.pem, serverKey.pem, and serverCustom.pem from

                        F:\Program Files\Filemaker\Filemaker Server\Cstore

                        Restart Filemaker Server

                        Now your transactions on the web will use your third party certificate and your transactions in the client will use the OpenSSL certificate provided by filemaker. When you restart filemaker with Require SSL your files will be available in the open remote window and though web direct. 

                        • 9. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
                          JohnDCCIU

                          So it's been since April 2014 and this is still an issue.  TSFalcon nicely facilitated a discussion with FMI development in a private thread back in May to try to resolve this, but their only (completely laughable) suggestion to get this working with a secure SHA-2 cert installed on the server is to touch every single FM client (!), adding the intermediate G2 cert to the OpenSSL root CA on that client.  Completely ridiculous suggestion, of course, considering that I have many hundreds of clients spread around in various locations....and such a massive effort on the customer's part would be solely because of the longstanding buffoonery of FMI's SSL efforts in v13.

                          So my FMS 13 server still has no encryption between FM client and FM server right now, nearly 6 months after I reported this.  Nice.  Good thing it's not really in production yet and all my critical stuff is still on FMSA v11.

                          When can we expect an update to the FM 13 client to fix this issue?  It will still be a giant pain in the neck to deploy (every single client will have to be updated before I can set the server to enforce encryption), but at least then it's permanent and automatic, and any new client installations will be good to go out of the box.

                          • 10. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
                            MatthewHenderson

                            If that is their suggestions why isn't it documented? FileMaker seems to not be taking this very seriously.

                            There also is no documentation on how to replace certificates so better get a three year certificate

                            You should try my workaround. It utilizes the built in certificate that comes with FileMaker client for the clients so you won't have to touch any of them. For the WebDirect users you get a trusted third party certificate. It is basically the way it used to work in FileMaker 11. I have had mine in production for several months with no issues.

                            • 11. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
                              fmarker

                              I have the same problem as John but am using a certificate from a non-approved vendor.  I followed Matthew's procedure to import the certificate and remove the serverRequest.pem, serverKey.pem, and serverCustom.pem from the C:\Program Files\Filemaker\Filemaker Server\Cstore folder after installation and, indeed, FM Pro clients can now see and open all of the hosted databases with "Require Secure Connections" checked on the server and the Get (ConnectionState) function returns a 2 showing that the connection is secure using the default FM supplied certificate.  Also now when accessing the FMS Admin Console using https, I no longer receive any certificate error as  I did before the installation of the non-approved certficate.

                              WebDirect users, however, are not secure - Get(ConnectionState) returns a 1.  For grins, I copied the same serverRequest.pem, serverKey.pem, and serverCustom.pem files into the C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\CStore folder and then all hosted databases with WebDirect enabled, magically, disappeared from the WebDirect home page - just like when these same files are in C:\Program Files\Filemaker\Filemaker Server\Cstore.  Hmmm......

                              So a non-approved vendor certificate appears to secure the connection to FMS Admin Console but nothing but a default FM cert appears to secure the connection with FMP clients.

                               

                              TSFalcon what are the latest findings in the FM labs?

                               

                              • 12. Re: FMS 13v1a breaks FMS when "Require Secure Connections" is check marked
                                Fred Marker:
                                 
                                Thank you for post.
                                 
                                We are aware that only the certificates in the knowledge base article below are fully supported at this time.
                                 
                                 
                                I have no additional information at this time. 
                                 
                                TSFalcon
                                FileMaker, Inc.