A security weakness was recently discovered in version 3 of the SSL protocol, known as the POODLE vulnerability. Axcient developed the following solutions to ensure that Anchor is not vulnerable to this issue.
The Apache configuration for syncedtool.com and syncedtool.ca was updated to include a new set of SSL ciphers. These ciphers successfully mitigate the risks off POODLE by disabling weak CBC ciphers. These changes also mitigate BEAST server-side attacks and add robust forward security.
As long as you have the latest Apache updater, you are safe from the POODLE vulnerability. You can find instructions for downloading the latest Apache updater here.
If, however, you have an older version of the Apache update, you may need to change your SSLCipherSuite settings manually:
- Set SSLHonorCipherOrder on
- SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”\
Finally, you may also choose to wait for the next patch, but given the seriousness of the POODLE vulnerability, we urge you to download the latest Apache updater or update your settings manually, as instructed above.
We deployed a new version on Friday, Oct. 24th, of our installer/updater tool for the Desktop Client and Outlook Plugin that works even when SSLv3 is completely disabled (via TLS).