| Dart Home | PowerTCP WebServer for ActiveX | Custom Development | Reply | PowerTCP WebServer for ActiveX Topics | Forums |
| Author | Forum: PowerTCP WebServer for ActiveX Topic: CVE-2014-0224 |
| mjxnjx From: sunnyvale, CA USA Posts: 26 Member Since: 06/15/05 |
posted July 10, 2014 1:54 PM Hello, We use DART's web server for ActiveX and were recently made aware that we may be vulnerable to the recently discovered CVE-2014-0224 (Change Cipher Attack) due to flaws in OpenSSL. Can you check to see if this is true? https://www.imperialviolet.org/2014/06/05/earlyccs.html |
| Nick B (Admin) From: Utica, NY USA Posts: 619 Member Since: 05/25/10 Extra Support Options Custom Application Development |
posted July 10, 2014 2:48 PM Hello, Our ActiveX components utilize Microsoft's Cryptography API for our SSL implementation; they do not use OpenSSL. |
| mjxnjx From: sunnyvale, CA USA Posts: 26 Member Since: 06/15/05 |
posted July 10, 2014 6:12 PM Thanks, that's a bit of a relief. Any ideas why though that two different security software (one from a customer / one used by us) claims we are vulnerable to this? Also, is there a way to disable SSL 2.x support but keep the auto-negotiate on? I know it's never used, but this security tests keep complaining that we support it. |
| Nick B (Admin) From: Utica, NY USA Posts: 619 Member Since: 05/25/10 Extra Support Options Custom Application Development |
posted July 11, 2014 11:17 AM Hello, What software are you/your customer using for this testing? There is no way to disable SSL 2.x on the control itself and keep autonegotiate, but you may be able to disable it with the checkbox under the 'Advanced' tab of Internet Options from the Control Panel. This will disable it for many applications however. |
| mjxnjx From: sunnyvale, CA USA Posts: 26 Member Since: 06/15/05 |
posted July 16, 2014 12:09 PM Sure, we used the following websites to test with (not sure what the customer used): https://www.ssllabs.com/ssltest/ https://www.wormly.com/test_ssl SSL Labs reports we are "vulnerable but probably not exploitable" to the Cipher Attack. This test is experimental and I don't fully trust the results (especially since you say you don't use OpenSSL), so I will discuss this with SSL labs and won't trouble you further on it. SSL Labs gives us an automatic "F" rating and Wormly gives us an "insecure" warning because DART supports SSL 2.x in it's auto-negotiation though. This is a problem that DART could and probably should correct. SSL 2.x hasn't been available in any browser since IE 6.x and is considered highly insecure. There needs to be an option to disable this in the DART negotiation. |
| Jamie Powell (Admin) From: Rome, NY USA Posts: 448 Member Since: 03/13/07 Extra Support Options Custom Application Development |
posted July 17, 2014 1:23 PM Thank you for your post. A reply has been sent regarding this thread to your email address. Please let me know if you require this email be resent and I will be happy to do so. Any further communication pertaining to this request or your account will be handled off-line. Best regards, Jamie |
| Reply | PowerTCP WebServer for ActiveX Topics | Forums |
This site is powered by
PowerTCP WebServer for ActiveX
|