Login  
Search All Forums
Dart Home | PowerTCP WebServer for ActiveX | Custom Development Reply | PowerTCP WebServer for ActiveX Topics | Forums   
AuthorForum: PowerTCP WebServer for ActiveX
Topic: CVE-2014-0224
mjxnjx

From: sunnyvale, CA USA
Posts: 26
Member Since: 06/15/05
posted July 10, 2014 1:54 PM

Hello,

We use DART's web server for ActiveX and were recently made aware that we may be vulnerable to the recently discovered CVE-2014-0224 (Change Cipher Attack) due to flaws in OpenSSL. Can you check to see if this is true?

https://www.imperialviolet.org/2014/06/05/earlyccs.html
Nick B (Admin)

From: Utica, NY USA
Posts: 619
Member Since: 05/25/10

Extra Support Options
Custom Application Development

posted July 10, 2014 2:48 PM

Hello,

Our ActiveX components utilize Microsoft's Cryptography API for our SSL implementation; they do not use OpenSSL.
mjxnjx

From: sunnyvale, CA USA
Posts: 26
Member Since: 06/15/05
posted July 10, 2014 6:12 PM

Thanks, that's a bit of a relief. Any ideas why though that two different security software (one from a customer / one used by us) claims we are vulnerable to this?

Also, is there a way to disable SSL 2.x support but keep the auto-negotiate on? I know it's never used, but this security tests keep complaining that we support it.
Nick B (Admin)

From: Utica, NY USA
Posts: 619
Member Since: 05/25/10

Extra Support Options
Custom Application Development

posted July 11, 2014 11:17 AM

Hello,

What software are you/your customer using for this testing?

There is no way to disable SSL 2.x on the control itself and keep autonegotiate, but you may be able to disable it with the checkbox under the 'Advanced' tab of Internet Options from the Control Panel. This will disable it for many applications however.
mjxnjx

From: sunnyvale, CA USA
Posts: 26
Member Since: 06/15/05
posted July 16, 2014 12:09 PM

Sure, we used the following websites to test with (not sure what the customer used):

https://www.ssllabs.com/ssltest/
https://www.wormly.com/test_ssl

SSL Labs reports we are "vulnerable but probably not exploitable" to the Cipher Attack. This test is experimental and I don't fully trust the results (especially since you say you don't use OpenSSL), so I will discuss this with SSL labs and won't trouble you further on it.

SSL Labs gives us an automatic "F" rating and Wormly gives us an "insecure" warning because DART supports SSL 2.x in it's auto-negotiation though. This is a problem that DART could and probably should correct. SSL 2.x hasn't been available in any browser since IE 6.x and is considered highly insecure. There needs to be an option to disable this in the DART negotiation.
Jamie Powell (Admin)

From: Rome, NY USA
Posts: 448
Member Since: 03/13/07

Extra Support Options
Custom Application Development

posted July 17, 2014 1:23 PM

Thank you for your post. A reply has been sent regarding this thread to your email address. Please let me know if you require this email be resent and I will be happy to do so.

Any further communication pertaining to this request or your account will be handled off-line.

Best regards,
Jamie
Reply | PowerTCP WebServer for ActiveX Topics | Forums   
This site is powered by PowerTCP WebServer Tool PowerTCP WebServer for ActiveX