OPEN SSL CCS Vulnerability

[broche]

Hi, just went to the https://www.ssllabs.com site and ran a check on some customers sites using Nettalk.
The result was an F and it scares me.  I have no idea about most of this stuff so a learning curve ahead.
Said the sight was vulnerable to the OPEN SSL CCS Vulnerability??  Any pointers would be appreciated.

Nettalk 8.64 or so.

Brian.

[urayoan]

broche, without the full report is a little bit difficult to guess what's goin on with your servers, but here some tips and stuff you can check to secure your server.

Make sure you have the latest SSL Libraries provided by Bruce with the template.

libeay32.dll     ver. 1.0.2d
libssl32.dll      ver. 1.0.2d
ssleay32.dll    ver. 1.0.2d
msvcr120.dll  ver. 12.00.21005.1

I am running NetTalk 8.64 so maybe Bruce in the 8.66 have more recent libraries.
This should fix the OPEN SSL CCS Vulnerability

Try to make your certificates with a Certificate Authority (if apply) with Signature algorithm SHA2.

In my case, in the Secure Server Object I set this:
    Self.SSLMethod = NET:SSLMethodTLSv1_2
This is to make sure the server only uses the most recent TLS Protocol. The catch here is, this setting can give old browsers hard time, but who wants to use an old insecure browser? <g>

Check and let us know how it goes.

In my case, making the same test with NT 8.64 I receive A- (for reference)

*************** CODE ***************
ThisSecureServer.Open PROCEDURE

! Start of "NetTalk Method Data Section"
! [Priority 5000]

! End of "NetTalk Method Data Section"

  CODE
  ! Start of "NetTalk Method Executable Code Section"
  ! [Priority 4500]
      Self.SSLMethod = NET:SSLMethodTLSv1_2
  ! Parent Call
  PARENT.Open

   

[Bruce]

Hi Brian,

what Ura said.

If you want to (privately) send me a URL for one of the sites I can run the test from here and see what the report is saying.

cheers
Bruce

[broche]

Thank You,

Will check these items and let you know.  If still an issue I will take Bruce up on the offer.
Thanks again.

[broche]

Did as advised and the grade is now A-
Thanks.

[urayoan]

That's good news broche!

Thanks for let us know

[walter.dasilva]

Yes Broche,

could share?

Thanks

[broche]

Simple I just checked the version of the files indicated and made sure that they were the most current.  Also a little embarrassing as I was checking what I thought was the correct domain name, turns out that there are a few out there very similar and must be badly set up.  Thanks to Bruce for making sure we are good.  I took a shot of the now A- report and sent it to a very happy customer.  My main application deals with a  lot of medical records so this rating is very important.

Brian.

[broche]

Just a quick brief on the setup of one of my customers if you want to know:

Dedicated server from AIT in the cloud, running Xencenter making two VM's.
One for the application and front end to the Internet, the second houses the Postgres database.Very reasonable cost per month.
Manage the servers using Xencenter, very nice can look at and switch between servers very easily.
This is an SSL site with certificates from Digicert.  I find Digicert very good and the support is excellent.  A little more expensive than some but worth it.

As a note I run Netdrive on the main server.  This allows me to map a drive letter to an SFTP site so I can import voice files into the database easily by just referring to a drive letter instead of all the FTP stuff.  Also allows for easy remote backup.

I use email extensively and use vuMail to do this.  Works well but I am looking at using Nettalk instead.

Postgres is free and very dependable.  A few little quirks to setup but other than that very easy to manage.  Some good webinars on ClarionLive about Postgres.

Really looking forward to Nettalk 9 and running disconnected apps on other devices.  I have customers and their customers asking me this every week.

Thanks for the support.

[walter.dasilva]

Thanks Broche

[walter.dasilva]

Hi all,

I've got B.

should msvcr90.dll be deployed together msvcr120.dll? Cause, if i delete msvcr90.dll app doesn't works.
I did what urayoan said but still getting B.

[urayoan]

Walter, check your SSL certificate is issued with SHA2 algorithm (just guessing).

The report points why you get the grade. That would be helpful.

In some cases, the SSL certificate Authority can re-issue the same certificate with SHA2 algorithm (if that is the case).

Cheers

[walter.dasilva]

Well,

Something become better but i still getting these alert:

1. The server does not support Forward Secrecy with the reference browsers.
2. This server's certificate chain is incomplete. Grade capped to B.

Thanks

[Bruce]

>> 1. The server does not support Forward Secrecy with the reference browsers.

This is not a problem for now. Yes forward-security is ideal (and I'm looking into it) but it's not a security issue at the moment (or anytime soon). It has to do with the cipher being used.

>> 2. This server's certificate chain is incomplete. Grade capped to B.

I'm guessing the certificate you deployed does not include the necessary intermediate certificates.
See http://www.capesoft.com/docs/NetTalk8/NetTalkWebSecure.htm#UsingIntermediateCertificates

Cheers
Bruce

[walter.dasilva]

Hi Bruce,

With 1. ok

With 2. +-. I'm got intermediate certificates from my CA and include them into my .crt. My app stop working. on the client side (IE, chrome and firefox) i started get the error ssl_error_no_cypher_overlap (firefox). after that, i'd edit again to take of intermediate certificates and error still happening.

i had to restore a backup.

Should i run CreateCertificateSigningRequest.Bat after including intermediate certificate?

Thanks