Important information about FirstSpirit in context of current SSLv3 security problem CVE-2014-3566 ("Poodle vulnerability")
Since October 14 2014, a security problem within the SSLv3 protocol is publicly known, which allows remote attackers to obtain sensitive information like private keys and passwords from any service using this protocol over https.
Depending on the used https infrastructure, your FirstSpirit system might be vulnerable to this security issue.
The FirstSpirit system is vulnerable, if the following check commmand completes with the text message "DONE". The command is launched on the command line of a Unix or Windows host with installed openssl software and network access to the FirstSpirit host. The hostname as parameter to the command must be the same as any FirstSpirit editor is using to open the FirstSpirit start page.
Jetty 7 and newer, embedded in FirstSpirit 5.0, 5.1, 5.2
This modification is only required if the Jetty https port is enabled and exposed to a local network or the Internet, not if it is bound to localhost only or used as backend server behind another https offloader.
add the array "ExcludeProtocols" to the HTTPS connector, section sslContextFactory:
<!-- HTTPS-Connector -->
<!-- =============== -->
<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->
The FirstSpirit internal encryption on the client server connection when using http, which can be enabled via the ServerManager at menu entry "Server -> Properties -> Webstart", is not affected by this vulnerability as the implementation is not using the SSL protocol, only TLS or optionally RC4. The use of the FirstSpirit socket mode connection is not recommended for the client server connection regarding the following security advisory: Security Advisory for FirstSpirit
In one of the next FirstSpirit versions, the default settings will include the modified fs-webapp.xml, though this file is not automatically replaced on any FirstSpirit update.