GW 12.0.4 WebAccess on SLES 11 SP4 - How to enable TLS 1.2?

I've been getting calls from users stating they are getting browser warning messages when attaching to our GW 2012 WebAccess server. It's version 12.0.4 running on SLES 11 SP4. When I attach with a new browser, Chrome or IE, I see it gets a TLS 1.0 error.

How can I enable TLS 1.2 on this setup? I've been reading about the SuSE Security Module, but I've seen comments that Apache2 on SLES still uses the old openssl version even with the new openssl version installed from the Security Module.

Will WebAcc 12.0.4 run on SLES 12? I'm not in a position to upgrade to GW 14 yet. Too many things to do with too little staff. Hoping to make this 2012 install last a little longer.

Thanks.
  • In article <plessm.71s8bb@no-mx.forums.microfocus.com>, Plessm wrote:
    > I've been getting calls from users stating they are getting browser
    > warning messages when attaching to our GW 2012 WebAccess server.

    To get more details on what your web server is currently able to do or not
    do:
    https://www.sslshopper.com/ssl-checker.html
    https://www.ssllabs.com/ssltest/
    https://sslanalyzer.comodoca.com/
    I make a point of printing out (to PDF) the results of these before and
    after I make changes to prove they've taken.

    Also useful checks at
    https://www.digicert.com/help/
    https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

    > How can I enable TLS 1.2 on this setup? I've been reading about the
    > SuSE Security Module, but I've seen comments that Apache2 on SLES still
    > uses the old openssl version even with the new openssl version installed
    > from the Security Module.

    Ya, we are a bit stuck at the moment on that front, but you can eliminate
    the biggest worries with some adjustments to apache that I've assembled so
    far assuming either SLES 10 or 11, validated so far with OES, haven't done
    without OES yet, but should be OK.

    security, tightening up SSL, especially for externally facing systems.
    NOTE: this generally stops IE6 from working.
    Make a backup copy of and edit the file
    /etc/tomcat#/server.xml
    find the line with sslProtocol="TLS" and insert after that a new line
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
    Make a backup copy of and edit the file
    /etc/apache2/vhosts.d/vhosts-ssl.conf
    find the line with SSLCipherSuite, comment it out and create a new line
    with
    SSLCipherSuite HIGH:!aNULL:!MD5
    and add the following 3 lines
    SSLEngine on
    SSLProtocol TLSv1
    SSLHonorCipherOrder On
    an alternate for SSLCipherSuite that I haven't tried sufficiently is
    SSLCipherSuite RC4-SHA:HIGH:!ADH

    restart apache and tomcat, then test

    >
    > Will WebAcc 12.0.4 run on SLES 12? I'm not in a position to upgrade to
    > GW 14 yet.

    I rather doubt GW 2012 will be certified to run on SLES12 so if anyone
    tries to please post your results, and I haven't heard that GW 2014 is
    there yet (soon I hope in Cornell).



    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

  • When I put in the TLSv1.1 or 1.2 and restart apache I get Illegal protocol "TLSv1.1 any suggestions?
  • In article <FBTDUNCAN.7auhon@no-mx.forums.microfocus.com>, Fbtduncan
    wrote:
    > When I put in the TLSv1.1 or 1.2 and restart apache I get Illegal
    > protocol "TLSv1.1 any suggestions?


    What version of SLES/apache are we dealing with?
    Do you have the close quotes on that config line?
    Please post the entire line of both the error and the config file.


    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!