Problem

* Is the API Gateway vulnerable to the FREAK SSL issue?

Resolution

-- Yes, but this can be mitigated without patching. The API Gateway uses OpenSSL, which is affected by CVE-2015-0204. At this time, all versions of the API Gateway use vulnerable versions of the OpenSSL program and the OpenSSL program used is internal to the API Gateway, so it cannot be updated by the customer. However, this vulnerability can be mitigated by disabling export ciphers in your configuration.

For incoming communications, every listening port contains an Advanced (SSL) tab which has a 'Ciphers' field that can be populated with an OpenSSL cipher list. For outgoing traffic, every Connection and Connect to URL filter also contains a 'Ciphers' field on the SSL tab. The list of available ciphers will depend on which version of OpenSSL is embedded in your version of the API Gateway. In all versions, the cipher lists are set to DEFAULT unless configured by the user and OpenSSL's default cipher list contains export ciphers on all current versions. You can remove export ciphers by adding :!EXP to the end of your cipher string. For example, DEFAULT:!EXP will give you the default ciphers with all of the export ciphers removed. Because customizing a cipher list is a security and compatibility tradeoff, customers are encouraged to investigate and test the available cipher string options for the right balance of security and compatibility for their business.

We anticipate releasing API Gateway 7.4 with an updated version of OpenSSL that will not be vulnerable to this CVE by default.