Hi. > You can handle this on the 4D Side by lowering the minimum TLS version (shown > in the tech tip below) but it's not recommended: > https://kb.4d.com/assetid=78102 This is a very good source of information (what TLS version is supported with what version of 4D, how to lower the bar with a security compromise, etc...). Thanks Tim for pointing towards this tech note.
> Thanks, Tim and Bruno. You are both correct. This particular > organization's server uses SSL3 and supports only TLS 1.0. > > Given that the site in question belongs to one of the five largest > museums in the world, I would rate my chances at getting them to > re-deploy their server platform at my request are between zero and nil. I am amazed that some sites still use/accept SSL3. This is a big no no. I would advise you to formally (email) warn you customer about the issue (provide the ssl lab report). Let him know you are willing to adapt to lower security standard if no other option is possible on their side (their decision, they take the risk, not you). IMOHO our duty is to warn customers of potential security risks. Then they take the risk if they want. Just to cover you back... Just curious, what was the rating with https://www.ssllabs.com/ssltest/ ? Tip : if it is really bad use the option "Do not show the results on the boards" (not always good to shame your clients publicly, and attract attention) ;-) We have done a small web site for a big french institution (not a bank but very similar) which is very strict/uptight on security. We do the development work and devops for this. PS : this is a LAMP stack with Laravel framework, syncing infos with a 4D backend. Even though the web site is small and hosted in a totally independent location (i.e. small risk), the company is applying its very strict approach, guidelines, rules on security. Each release goes though a security audit done by a independent security audit company. Before the release there is a cycle (after functional validation) : security audit, fixes, and counter audit. If the site does not pass the security audit, the site does not go in production. The security czar has the power to say NO. This is slow, time consuming, annoying, frustrating, etc... but we have improved the security for this project on each release (and gained experience). On this site SSL3, TLS 1.0, TLS 1.1 are disabled. It is TLS 1.2 only, period. And ssllabs.com rating for this site : A+ :-) Another tip for Linux / NGINX security settings : https://mozilla.github.io/server-side-tls/ssl-config-generator/ Bruno LEGAY A&C Consulting ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************
