When I run Vulnerability scans against our FOP2 server I am seeing warnings for various SSL vulnerabilities on port 4445. These include Weak SSL Ciphers, SSLv2 And SSLv3 detected, and POODLE vulnerability. I know that fop2_server is attached to port 4445. Can anyone give me insight into how to secure the SSL implementation for FOP2?
-
8 years ago
-
FOP2 will only negotiate TLS 1.2 connections for websocket. A real life test with Chrome or Firefox should always results in a perfectly secure connection running over TLS v1.2. So you should not have to worry about those scans results.
-
I understand, but FOP2 is offering up weak ciphers and SSLv2 or SSLv3. How can I disable SSLv2 and v3? How how do I enforce strong ciphers? If all modern browsers support TLS v1.2, we should be able to disable SSLv2/3.
-
No browser exists that negotiates websockets with SSL3. It just does not exist.
FOP2 is not a web server, protocol is not HTTPS, there are no way you can have a valid client negotiating SSL3 in the websocket port with FOP2 server, as no such browser exists. Any browser supporting secure websockets has SSL3 disabled and will use TLS 1.2. Other browsers just do not support websocket at all, let alone secure websocket.
Probably, in a future release, FOP2 will use a newer SSL library that has SSL3 disabled by default. but it is not really an issue in this case as there is no way you can have older clients using that protocol, as such clients never existed in the first place. For now I will refrain to update the library as it might make FOP2 incompatible with some older linux distributions.
Besides, if FOP2 is unable to negotiate websocket or secure websocket, it will then fallback to standard flash xmlsockets, that are in plain text and not encrypted in any way or form.
