Support Knowledge Center

Support Article

Back to search

Exinda Appliances, SSLv3 and Heartbleed

Article Number: 000001753
Published: August 18, 2016
Categories: Software
Due to vulnerabilities in SSLv3, the firmware has removed it as an option starting in v6.4.6, opting instead to use TLS
The Exinda appliances have had support for Transport Layer Security (TLS) 1.2 ince the initial version, due to the Apache webserver that it uses. SSLv3 was also an option that could be used for legacy reasons. When using the web UI, the client and the Exinda appliance would negotiate the security protocol to use. These protocols can vary, depending on what the client and server both have, as it requires the same protocol on both side to use. TLS has been a standard for a long time, and is considered more secure than SSL. However, for older clients or clients do not have the capability to use TLS, SSLv3 was offered as a fallback.

In 2015, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack was found, a serious vulnerability in SSLv3. While it was not the first one, it offers attackers a way to find credentials during the connection negotiation instead of having them securely sent. 

As a result, starting in ExOS version 6.4.6, SSLv3 support was disabled. While the protocols still exist on the server, they are not utilized. 

On a related topic, the Exinda appliances are also not affected by the 'Heartbleed' exploit found in OpenSSL, due to using a version of the suite that is unaffected by the bug.