A new Internet security threat has been announced this week. A vulnerability in SSLv2 can be used to attack/decrypt TLS connections, when SSLv2 is enabled on the server. You are welcome to read more about it here:
– The DROWN Attack
– CVE-2016-0800: Cross-protocol attack on TLS using SSLv2 (DROWN)
Even though this bug does not directly affect the ISL Online users, we feel that a bug with such severity deserves a blog post so that our users can be informed of the actions taken by our administrators, as well as any additional recommendations.
ISL Conference Proxy 4.1.0 has the SSLv2 disabled by default. This means that no mitigation was needed by ISL Online administrators once the vulnerability was announced. Our hosted service (SaaS) users are fully protected and do not need to do anything.
However, if you are a Server Licence user and your server is running ISL Conference Proxy 4.0.5 or older, follow these steps in order to completely disable SSLv2 on your ISL Conference Proxy:
1. Open ICP administration (http://localhost:7615/conf).
2. Go to “Configuration” -> “General”.
3. Uncheck the checkbox in front of the setting “HTTPT SSL protocol” and modify the value so that it includes the following: all -SSLv2.
4. Click “Save” at the bottom to apply the changes.
5. Perform tests (with one of the online SSL security scanners or with other tools such as sslscan) and make sure everything is ok.
The latest version of OpenSSL will be included in the next version of ISL Conference Proxy.
As always, we strongly recommend Server licence users should follow security best practices, especially keeping their servers up to date with the latest security patches – this means both the operating system and ISL Conference Proxy.