Disable SSLv3 on GW Webaccess portal due to Poodle

My SSL check for the webaccess shows we are still using SSLv3. I am not a Linux pro, and so I have no idea
where to go and the steps to turn off SSL for the web access. Does anyone have the steps to do this?
I am not having much luck finding anything helpful. Running on SLES 11 SP3.
Parents
  • Ok, I went all over the internet and finally was able to find information that allowed me to fix the SSL issues with the GWIA. I had to edit the /etc/apache2/vhosts.d/vhost-ssl.conf file and add SSL Protocol All TLSv1 -SSLv2 -SSLv3
    then add the SSLCipher Suite line to disable insecure suites: SSLCipherSuite ALL:!ADH:RC4 RSA: HIGH: MEDIUM:-LOW:-SSLV2:-EXP:!kEDH:!aNULL
    Restarted the apache2 service and then retested, and I went from a grade F to a Grade B (highest I can get w/o TLSv1.2).

    Have not been able to address the issue with forward secrecy support with the reference browsers. But, the goal of not being vulnerable to the POODLE attack was achieved.
  • iliadmin Wrote in message:

    > Ok, I went all over the internet and finally was able to find
    > information that allowed me to fix the SSL issues with the GWIA. I had
    > to edit the /etc/apache2/vhosts.d/vhost-ssl.conf file and add *SSL
    > Protocol All TLSv1 -SSLv2 -SSLv3*
    > then add the SSLCipher Suite line to disable insecure suites:
    > *SSLCipherSuite
    > ALL:!ADH:RC4 RSA: HIGH: MEDIUM:-LOW:-SSLV2:-EXP:!kEDH:!aNULL*
    > Restarted the apache2 service and then retested, and I went from a grade
    > F to a Grade B (highest I can get w/o TLSv1.2).
    >
    > Have not been able to address the issue with forward secrecy support
    > with the reference browsers. But, the goal of not being vulnerable to
    > the POODLE attack was achieved.


    Whilst the above is unsupported (since Novell have not yet
    published a TID and/or patch) I would just change your
    SSLProtocol directive to "SSLProtocol all -SSLv2 -SSLv3" and not
    add the SSLCipherSuite directive. This has the effect of enabling
    TLSv1 plus TLSv1.1 and TLSv1.2 if using OpenSSL 1.0.1g which is
    available for SLES11 SP3 via the recently announced optional
    Security Module[1].

    I will also note that SLES11 SP3 is believed to already have SSLv3
    disabled for Apache as per SUSE TID 7015773[2].

    HTH.

    [1] https://www.suse.com/communities/conversatio
    ns/introducing-the-suse-linux-enterprise-11-security-module/ (URL
    may wrap)
    [2] https://www.suse.com/support/kb/doc.php?id=7015773
    --
    Simon Flood
    Novell Knowledge Partner
Reply
  • iliadmin Wrote in message:

    > Ok, I went all over the internet and finally was able to find
    > information that allowed me to fix the SSL issues with the GWIA. I had
    > to edit the /etc/apache2/vhosts.d/vhost-ssl.conf file and add *SSL
    > Protocol All TLSv1 -SSLv2 -SSLv3*
    > then add the SSLCipher Suite line to disable insecure suites:
    > *SSLCipherSuite
    > ALL:!ADH:RC4 RSA: HIGH: MEDIUM:-LOW:-SSLV2:-EXP:!kEDH:!aNULL*
    > Restarted the apache2 service and then retested, and I went from a grade
    > F to a Grade B (highest I can get w/o TLSv1.2).
    >
    > Have not been able to address the issue with forward secrecy support
    > with the reference browsers. But, the goal of not being vulnerable to
    > the POODLE attack was achieved.


    Whilst the above is unsupported (since Novell have not yet
    published a TID and/or patch) I would just change your
    SSLProtocol directive to "SSLProtocol all -SSLv2 -SSLv3" and not
    add the SSLCipherSuite directive. This has the effect of enabling
    TLSv1 plus TLSv1.1 and TLSv1.2 if using OpenSSL 1.0.1g which is
    available for SLES11 SP3 via the recently announced optional
    Security Module[1].

    I will also note that SLES11 SP3 is believed to already have SSLv3
    disabled for Apache as per SUSE TID 7015773[2].

    HTH.

    [1] https://www.suse.com/communities/conversatio
    ns/introducing-the-suse-linux-enterprise-11-security-module/ (URL
    may wrap)
    [2] https://www.suse.com/support/kb/doc.php?id=7015773
    --
    Simon Flood
    Novell Knowledge Partner
Children
No Data