Environment
Micro Focus Filr 3.0
Situation
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Resolution
A fix for this issue is available in the Filr 3.3 Update.
With the fix in place, Filr server will no longer allow TLSv1.0 or TLSv1.1 connections. It will only allow TLSv1.2.
Activating the Fix in Filr:
The fix is NOT enabled by default after applying the Filr 3.3 Update. To enable the fix, you must:
Known issues after Enabling TLS v1.2 ONLY:
Once the fix is enabled on your Filr server, it will only allow connections from clients (web browsers, Filr Desktop clients, Filr Mobile apps, WebDAV clients, etc.) that support TLSv1.2. The following are known issues:
With the fix in place, Filr server will no longer allow TLSv1.0 or TLSv1.1 connections. It will only allow TLSv1.2.
Activating the Fix in Filr:
The fix is NOT enabled by default after applying the Filr 3.3 Update. To enable the fix, you must:
- Visit the Filr appliance configuration console (port 9443).
- Click on the Configuration cog wheel icon under Filr Appliance Tools and click on the 'Network' option in the sidebar.
- On the 'Network' options page check the option 'Enable TLS v1.2 Protocol ONLY' and click OK.
- This will enable the "Reconfigure Filr Server" button in the left-hand sidebar.
- Click on the "Re-configure Filr Server" and wait for Filr service to be restarted.
- Repeat Steps 1-5 on all Filr nodes if you have a clustered Filr deployment.
- At this point the fix for this issue is enabled on your Filr server and it will only allow TLSv1.2.
Known issues after Enabling TLS v1.2 ONLY:
Once the fix is enabled on your Filr server, it will only allow connections from clients (web browsers, Filr Desktop clients, Filr Mobile apps, WebDAV clients, etc.) that support TLSv1.2. The following are known issues:
- Any Filr Desktop client that is older than Filr 3.2 will not be able to connect to the Filr 3.3 server.
User must update to the latest Desktop client or Filr administrator must disable this fix. See TID - 7022428 for more details. - Any Filr Mobile client (iOS or Android) older than Filr 3.2 will not be able to connect to Filr 3.3 server.
User must download the latest version of the mobile app from the respective app store for their device.