ssl/tls protocol usage for http

0 votes
asked Nov 21, 2014 by oki (250 points)
edited Nov 21, 2014

I'm evaluating your products and found on the featurelist of "Rebex FTP/SSL for .NET", that you implemented SSL/TLS Protocols in conjunction with FTP.

I'm also evaluating servicestack (http://servicestack.net) self-hosted using .NET's HTTP Listener. SSL can be enabled by adding a Certificate to the Listener, but then I stucked on selecting the SSL Protocol and neogation.

In October 2014 SSLv3 Protocol was fallen due the so called Poodle attack. Using a weakness in the SSLv3 Protocol the Poodle attack is able to decrypt communication that is sent using SSL secured traffic from a web server.

As workaround is there a way to implement such a thing due combine your SSL/TLS implementation with servicestacks?

1 Answer

0 votes
answered Nov 21, 2014 by Lukas Pokorny (94,270 points)
edited Nov 21, 2014

Poodle attack only affects version 3 of the SSL protocol, and does not affect later versions. There is a lot of confusion, however - the SSL protocol was renamed in the late 90s, and what was originally supposed to become SSL 3.1 became TLS 1.0. Even though a final version of its specification appeared in 1999, it's still common to use the term SSL to refer to both SSL and TLS. Please check out our blogpost on Poodle attack for additional information and links.

This means that it should be easily possible to make ServiceStack immune to Poodle attack even without having to plug our TLS/SSL implementation into it by disabling SSL 3.0 and only allowing TLS 1.0, 1.1 and 1.2. If it uses .NET's HTTP Listener, this can either be done by editing Windows registry or using a special tool from Microsoft.

Combining our TLS/SSL implementattion with ServiceStack might be possible as well, but that would require using a different HTTP server than .NET HTTP Listener. We don't have experience with ServiceStack, but even if it does support different hosts (it might be possible to run it on OWIN, which would make it possible to use this, for example), the host would still have to be modified to support our TLS/SSL implementation. And as I wrote above, this might not be really needed.

...