Hello

To disable SSL v2.0 and SSL v3.0 and enable TLS 1.1:

-Locate the server's configuration file.
-Backup the file for safety.
-Disable SSLv2 and SSLv3 by removing or commenting out related lines.
-Enable TLS 1.1 by adding it to the supported protocols.
-Save changes and restart the server.

Hope it helps you.

Thank you.
(SAP Analytics Cloud Training)

Nick Howitt wrote:

It depends on where you mean. In the webconfig the file is /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf and the SSLCipherSuite parameter. In the web server it is possibly /etc/httpd/conf.d/flex-443.conf but that gets overwritten each time you make a flexshare website change. Also look at /etc/httpd/conf.d/ssl.conf. In postfix it is probably in /etc/postfix/main.cf. Be wary of changing postfix as you might find that you block some people from sending you e-mail if their MTA can only do low grade encryption. If they can only do low grade, they may fall back to no encryption, but surely something is better than nothing? Or you could change postfix to insist on encrypted e-mails but then you may block e-mails from senders who can't match your encryption requirements.

Hi Nick ,

@Nick , I already restart my Apache Service after edit the files below 4 files

/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/flex-443.conf
/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf

My Current configuration is

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES256-GCM-SHA384


After this any other thing to do ?


Regards
Swain

Hi Nick ,

@Nick , I already restart my Apache Service after edit the files below 4 files

/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/flex-443.conf
/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf

My Current configuration is

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES256-GCM-SHA384


After this any other thing to do ?


Regards
Swain

What was it scanning? The web server or webconfig or both.

Let us consider what this means. The webserver accepts port 80 (unencrypted) and port 443 (encrypted). Your browser negotiates with the server an acceptable certificate. I believe it tries to negotiate an acceptable minimum. If someone connects to your site with a browser incapable ot TLS 1.1, do you want to turn him away (if you redirect http to https) or are you happy for him to continue at his risk? Or would you want him to revert to http so go totally unencrypted.

The same thing goes for the webconfig, but it is https on port 81 only.

You are welcome to change the parameters. For the Webserver, you'd really need to find the code which wretes the flex-443.conf file and modify that as well.

Googling some more and it looks like I have the wrong parameter. The correct on seems to be SSLProtocol


This may give you all the file locations of the relevant code:

[root@server ~]# grep SSLProtocol /usr/clearos/* -r

/usr/clearos/apps/flexshare/libraries/Flexshare.php:                    "\tSSLProtocol all -SSLv2 -SSLv3 -TLSv1\n" .

/usr/clearos/apps/proxypass/libraries/ProxyPassProcessor.php:                                   "    SSLProtocol all -SSLv2 -SSLv3 -TLSv1\n" .

/usr/clearos/apps/proxypass/libraries/ProxyPassProcessor.php:                                   "    SSLProtocol all -SSLv2 -SSLv3 -TLSv1\n" .

/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3 -TLSv1

/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf:    SSLProtocol all -SSLv2 -SSLv3 -TLSv1

/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf:    SSLProtocol all -SSLv2 -SSLv3 -TLSv1

/usr/clearos/sandbox/etc/httpd/conf.d/devel.conf:    SSLProtocol all -SSLv2 -SSLv3 -TLSv1

And:

[root@server ~]# grep SSLProtocol /etc/httpd/* -r

/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2

/etc/httpd/conf.d/flex-443.conf:        SSLProtocol all -SSLv2 -SSLv3 -TLSv1

/etc/httpd/conf.d/flex-443.conf:        SSLProtocol all -SSLv2 -SSLv3 -TLSv1

/etc/httpd/conf.d/flex-443.conf:        SSLProtocol all -SSLv2 -SSLv3 -TLSv1

/etc/httpd/conf.d/flex-443.conf:        SSLProtocol all -SSLv2 -SSLv3 -TLSv1

I am, therefore, curious as to where the scanner found the failure. It is possible that the default website can use SSLv3 because of "/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2", but not SSLv2. Try changing that line. If you do, the webconfig should not overwrite it.

Hi Nick,

I run Nessus scan and it come up with few recommendations, one of them is in relation to my post;

**
High
SSL Version 2 and 3 Protocol Detection
Description
The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws.....

Solution
Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.1 (with approved cipher suites) or higher instead.
**

no other useful details then few URL's to what SSL and TLS are.

It depends on where you mean. In the webconfig the file is /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf and the SSLCipherSuite parameter. In the web server it is possibly /etc/httpd/conf.d/flex-443.conf but that gets overwritten each time you make a flexshare website change. Also look at /etc/httpd/conf.d/ssl.conf. In postfix it is probably in /etc/postfix/main.cf. Be wary of changing postfix as you might find that you block some people from sending you e-mail if their MTA can only do low grade encryption. If they can only do low grade, they may fall back to no encryption, but surely something is better than nothing? Or you could change postfix to insist on encrypted e-mails but then you may block e-mails from senders who can't match your encryption requirements.