iliadmin1 Absent Member.
Absent Member.
2427 views

Disable SSLv3 on GW Webaccess portal due to Poodle

My SSL check for the webaccess shows we are still using SSLv3. I am not a Linux pro, and so I have no idea
where to go and the steps to turn off SSL for the web access. Does anyone have the steps to do this?
I am not having much luck finding anything helpful. Running on SLES 11 SP3.

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
Labels (2)
0 Likes
2 Replies
iliadmin1 Absent Member.
Absent Member.

Re: Disable SSLv3 on GW Webaccess portal due to Poodle

Ok, I went all over the internet and finally was able to find information that allowed me to fix the SSL issues with the GWIA. I had to edit the /etc/apache2/vhosts.d/vhost-ssl.conf file and add SSL Protocol All TLSv1 -SSLv2 -SSLv3
then add the SSLCipher Suite line to disable insecure suites: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLV2:-EXP:!kEDH:!aNULL
Restarted the apache2 service and then retested, and I went from a grade F to a Grade B (highest I can get w/o TLSv1.2).

Have not been able to address the issue with forward secrecy support with the reference browsers. But, the goal of not being vulnerable to the POODLE attack was achieved.

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
Knowledge Partner
Knowledge Partner

Re: Disable SSLv3 on GW Webaccess portal due to Poodle

iliadmin Wrote in message:

> Ok, I went all over the internet and finally was able to find
> information that allowed me to fix the SSL issues with the GWIA. I had
> to edit the /etc/apache2/vhosts.d/vhost-ssl.conf file and add *SSL
> Protocol All TLSv1 -SSLv2 -SSLv3*
> then add the SSLCipher Suite line to disable insecure suites:
> *SSLCipherSuite
> ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLV2:-EXP:!kEDH:!aNULL*
> Restarted the apache2 service and then retested, and I went from a grade
> F to a Grade B (highest I can get w/o TLSv1.2).
>
> Have not been able to address the issue with forward secrecy support
> with the reference browsers. But, the goal of not being vulnerable to
> the POODLE attack was achieved.


Whilst the above is unsupported (since Novell have not yet
published a TID and/or patch) I would just change your
SSLProtocol directive to "SSLProtocol all -SSLv2 -SSLv3" and not
add the SSLCipherSuite directive. This has the effect of enabling
TLSv1 plus TLSv1.1 and TLSv1.2 if using OpenSSL 1.0.1g which is
available for SLES11 SP3 via the recently announced optional
Security Module[1].

I will also note that SLES11 SP3 is believed to already have SSLv3
disabled for Apache as per SUSE TID 7015773[2].

HTH.

[1] https://www.suse.com/communities/conversatio
ns/introducing-the-suse-linux-enterprise-11-security-module/ (URL
may wrap)
[2] https://www.suse.com/support/kb/doc.php?id=7015773
--
Simon Flood
Novell Knowledge Partner
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.