hi there,
can someone advise on how to disable SSL v 2.0 and SSL v 3.0 and set so that only TLS 1.1 is uesd?
Thank you in advance
can someone advise on how to disable SSL v 2.0 and SSL v 3.0 and set so that only TLS 1.1 is uesd?
Thank you in advance
In Mail
Share this post:
Responses (6)
-
Accepted Answer
Hello
To disable SSL v2.0 and SSL v3.0 and enable TLS 1.1:
-Locate the server's configuration file.
-Backup the file for safety.
-Disable SSLv2 and SSLv3 by removing or commenting out related lines.
-Enable TLS 1.1 by adding it to the supported protocols.
-Save changes and restart the server.
Hope it helps you.
Thank you.
(SAP Analytics Cloud Training) -
Accepted Answer
Nick Howitt wrote:
It depends on where you mean. In the webconfig the file is /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf and the SSLCipherSuite parameter. In the web server it is possibly /etc/httpd/conf.d/flex-443.conf but that gets overwritten each time you make a flexshare website change. Also look at /etc/httpd/conf.d/ssl.conf. In postfix it is probably in /etc/postfix/main.cf. Be wary of changing postfix as you might find that you block some people from sending you e-mail if their MTA can only do low grade encryption. If they can only do low grade, they may fall back to no encryption, but surely something is better than nothing? Or you could change postfix to insist on encrypted e-mails but then you may block e-mails from senders who can't match your encryption requirements.
Hi Nick ,
@Nick , I already restart my Apache Service after edit the files below 4 files
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/flex-443.conf
/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf
My Current configuration is
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES256-GCM-SHA384
After this any other thing to do ?
Regards
Swain -
Accepted Answer
Hi Nick ,
@Nick , I already restart my Apache Service after edit the files below 4 files
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/flex-443.conf
/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf
My Current configuration is
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES256-GCM-SHA384
After this any other thing to do ?
Regards
Swain -
Accepted Answer
What was it scanning? The web server or webconfig or both.
Let us consider what this means. The webserver accepts port 80 (unencrypted) and port 443 (encrypted). Your browser negotiates with the server an acceptable certificate. I believe it tries to negotiate an acceptable minimum. If someone connects to your site with a browser incapable ot TLS 1.1, do you want to turn him away (if you redirect http to https) or are you happy for him to continue at his risk? Or would you want him to revert to http so go totally unencrypted.
The same thing goes for the webconfig, but it is https on port 81 only.
You are welcome to change the parameters. For the Webserver, you'd really need to find the code which wretes the flex-443.conf file and modify that as well.
Googling some more and it looks like I have the wrong parameter. The correct on seems to be SSLProtocol
This may give you all the file locations of the relevant code:[root@server ~]# grep SSLProtocol /usr/clearos/* -r
/usr/clearos/apps/flexshare/libraries/Flexshare.php: "\tSSLProtocol all -SSLv2 -SSLv3 -TLSv1\n" .
/usr/clearos/apps/proxypass/libraries/ProxyPassProcessor.php: " SSLProtocol all -SSLv2 -SSLv3 -TLSv1\n" .
/usr/clearos/apps/proxypass/libraries/ProxyPassProcessor.php: " SSLProtocol all -SSLv2 -SSLv3 -TLSv1\n" .
/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3 -TLSv1
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1
/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1
/usr/clearos/sandbox/etc/httpd/conf.d/devel.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1
And:[root@server ~]# grep SSLProtocol /etc/httpd/* -r
/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2
/etc/httpd/conf.d/flex-443.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1
/etc/httpd/conf.d/flex-443.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1
/etc/httpd/conf.d/flex-443.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1
/etc/httpd/conf.d/flex-443.conf: SSLProtocol all -SSLv2 -SSLv3 -TLSv1
I am, therefore, curious as to where the scanner found the failure. It is possible that the default website can use SSLv3 because of "/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2", but not SSLv2. Try changing that line. If you do, the webconfig should not overwrite it. -
Accepted Answer
Hi Nick,
I run Nessus scan and it come up with few recommendations, one of them is in relation to my post;
**
High
SSL Version 2 and 3 Protocol Detection
Description
The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws.....
Solution
Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.1 (with approved cipher suites) or higher instead.
**
no other useful details then few URL's to what SSL and TLS are. -
Accepted Answer
It depends on where you mean. In the webconfig the file is /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf and the SSLCipherSuite parameter. In the web server it is possibly /etc/httpd/conf.d/flex-443.conf but that gets overwritten each time you make a flexshare website change. Also look at /etc/httpd/conf.d/ssl.conf. In postfix it is probably in /etc/postfix/main.cf. Be wary of changing postfix as you might find that you block some people from sending you e-mail if their MTA can only do low grade encryption. If they can only do low grade, they may fall back to no encryption, but surely something is better than nothing? Or you could change postfix to insist on encrypted e-mails but then you may block e-mails from senders who can't match your encryption requirements.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »