This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable TLS1.0/1.1 for HTTP?

Trying to remediate vulnerabilities and we're tasked with disabling TLS1.0 and 1.1. I am able to disable it for LDAP, but we're getting dinged on the iMonitor/DHost HTTP services. Is there a way to disable TLS1.0 and 1.1 on the HTTP object? I couldn't find any documentation on it and none of the attributes seemed to indicate that they would manage that like the ldapSSLconfig attribute did on the LDAP side. I suppose the alternative would be to just disable the HTTPS port somehow (maybe by just not defining the http.server.tls-port option, although that may just assign one dynamically).

Tags:

  • 0
    Is there a reason you have that socket open at all? Leaving it enabled
    but blocked by the host-based firewall (which should block it by default,
    unless you have disabled it for some odd reason) should prevent any
    outsider from even seeing it see it as an option. You can still use it
    yourself by either opening certain boxes to it, or tunneling in over SSH,
    or accessing it from the box itself, but that's all assuming you even need
    it at all.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • 0 in reply to 
    ab;2483455 wrote:
    Is there a reason you have that socket open at all? Leaving it enabled
    but blocked by the host-based firewall (which should block it by default,
    unless you have disabled it for some odd reason) should prevent any
    outsider from even seeing it see it as an option. You can still use it
    yourself by either opening certain boxes to it, or tunneling in over SSH,
    or accessing it from the box itself, but that's all assuming you even need
    it at all.



    Thanks, ab. We have both 8028 and 8030 open as default so that we can pull up iMonitor when we need to. I did read in an article that another option is just to not load the httpstk modules as well. I'll have to check to see what our options are for host-based firewall configs. I guess what I'm reading from that, though, is that there doesn't seem to be a simple "select your supported TLS version(s)" for the HTTP stack.
  • 0 in reply to 
    I think, but do not know, that if you implement Suite B compatibility it
    will disable anything other than TLS 1.2, though keep in mind this can
    break all kinds of older clients, but of course that's basically your goal:

    https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1i4rmmx.html


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • 0

    Was this ever resolved? This has been a real pain for me on my vulnerability reports. I tried just disabling imon and httpstack but then the 2 servers in replica stop communicating - was a huge nightmare. Is there an easy way to just disable iMon ports 8028 and 8030 without breaking your eDirectory replication? 

  • Suggested Answer

    0   in reply to 

    How did you disable stuff? I've just disabled httpstk, hconserv, imon and embox on an OES2018SP3 box running 40208.00, bounced the daemon and it still communicates just fine. To force TLS 1.2 check out this one

     Force iMonitor to use TLS 1.2