Overview

Due to vulnerabilities affecting Secured Sockets Layer version 3 (SSLv3), we have removed it from the firmware as an option starting in version 6.4.6, opting to use Transport Layer Security (TLS) instead. 

Information

Exinda appliances have always had support for TLS 1.2 because the Apache web server uses it. When using the WebUI, the client and the Exinda appliance negotiate the security protocol to use. These protocols can vary, depending on what the client and server both have, but they must use the same protocol. TLS has been a standard for a long time and is considered more secure than SSL. However, when TLS could not be used, SSLv3 was offered as a fallback.

In 2015, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack was found, a severe vulnerability in SSLv3. While it was not the first one, this one offers attackers a way to find credentials during the connection negotiation instead of sending them securely, and as a result, starting in ExOS version 6.4.6, SSLv3 support was disabled. Although the protocol still exists on the server, it is not used.