Cool Solutions

Novell Datasync Server SSL “Beast” vulnerability



By:

December 18, 2012 12:04 pm

Reads: 2739

Comments:0

Score:0

There is an SSL vulnerability for certain configurations of web browsers and other applications that use similar encryption methods that expose them to a “man-in-the-middle” security failure.

A complete description of the vulnerability can be found at the following link.

Vulnerability Summary for CVE-2011-3389:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

This vulnerability is present in the default configuration for Datasync Mobility, and can be seen by downloading and running the following vulnerability testing tool.

Beast vulnerability test instructions and download link:
http://bl0g.yehg.net/2012/05/beastpl-ssltls-beast-vulnerability.html

This vulnerability can be closed by configuring the SSL communications that Datasync uses to only allow unaffected handshake protocols.

Below is a link to, and excerpt from, the section of documentation that shows the required options.

I have found that the following settings will allow Datasync Mobility to pass the vulnerability test.

<sslMethod>5</sslMethod>
<sslCiphers>RC4-SHA</sslCiphers>

So far I haven’t seen any issues with device connections since I made the changes.

SSL Configuration option from
Datasync Mobility documentation:

“5.1.4 Selecting a Specific Version of SSL

By default, the Mobility Connector accepts connections from mobile devices that use SSLv3 and TLSv1, but rejects connections from mobile devices that use SSLv2. If a user’s mobile device tries to connect using SSLv2, the user receives an error and cannot connect. You can enable and disable different versions of SSL protocols and also specify the cipher to use with the desired protocol.

In Synchronizer Web Admin, click the Mobility Connector to display the Mobility Connector Configuration page, then click Edit XML Source to display the Connector XML Source window.

Add the following tags between the <custom> and </custom> tags:

<sslMethod>value</sslMethod>
<sslCiphers>list</sslCiphers>

In the <sslMethod> tag, replace value with any of the following values:

    SSL Version			Value

    SSLv2				1 (not recommended)

    SSLv3				2

    TLSv1				4

    All of the above			3 (not recommended)

    SSLv3 and TLSv1		5 (default)

In a terminal window, use the following command to determine the ciphers that are available on your system:

openssl ciphers -ssl3

In the <sslCiphers> tag in the Connector XML Source window, replace list with the desired values as provided by the openssl command.

Click Save XML to save your changes, then click Home to return to the main Synchronizer Web Admin page.

Restart the Mobility Connector to put the desired SSL protocol and ciphers into effect.

VN:D [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: GroupWise, Technical

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS