Related Tips & Info

Novell Datasync Server SSL "Beast" vulnerability

jamestaylor
0 Likes
There is an SSL vulnerability for certain configurations of web browsers and other applications that use similar encryption methods that expose them to a "man-in-the-middle" security failure.

A complete description of the vulnerability can be found at the following link.

Vulnerability Summary for CVE-2011-3389:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

This vulnerability is present in the default configuration for Datasync Mobility, and can be seen by downloading and running the following vulnerability testing tool.

Beast vulnerability test instructions and download link:
http://bl0g.yehg.net/2012/05/beastpl-ssltls-beast-vulnerability.html

This vulnerability can be closed by configuring the SSL communications that Datasync uses to only allow unaffected handshake protocols.

Below is a link to, and excerpt from, the section of documentation that shows the required options.

I have found that the following settings will allow Datasync Mobility to pass the vulnerability test.
<sslMethod>5</sslMethod>
<sslCiphers>RC4-SHA</sslCiphers>

So far I haven't seen any issues with device connections since I made the changes.

SSL Configuration option from
Datasync Mobility documentation:

"5.1.4 Selecting a Specific Version of SSL

By default, the Mobility Connector accepts connections from mobile devices that use SSLv3 and TLSv1, but rejects connections from mobile devices that use SSLv2. If a user’s mobile device tries to connect using SSLv2, the user receives an error and cannot connect. You can enable and disable different versions of SSL protocols and also specify the cipher to use with the desired protocol.

In Synchronizer Web Admin, click the Mobility Connector to display the Mobility Connector Configuration page, then click Edit XML Source to display the Connector XML Source window.

Add the following tags between the <custom> and </custom> tags:
<sslMethod>value</sslMethod>
<sslCiphers>list</sslCiphers>

In the <sslMethod> tag, replace value with any of the following values:
    SSL Version			Value

    SSLv2				1 (not recommended)

    SSLv3				2

    TLSv1				4

    All of the above			3 (not recommended)

    SSLv3 and TLSv1		5 (default)

In a terminal window, use the following command to determine the ciphers that are available on your system:

openssl ciphers -ssl3

In the <sslCiphers> tag in the Connector XML Source window, replace list with the desired values as provided by the openssl command.

Click Save XML to save your changes, then click Home to return to the main Synchronizer Web Admin page.

Restart the Mobility Connector to put the desired SSL protocol and ciphers into effect."

Labels:

How To-Best Practice
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
CyberRes Academy
Partner Programs
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Conduct
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.