Infinity9999 Absent Member.
Absent Member.
359 views

Disable TLS1.0/1.1 for HTTP?

Trying to remediate vulnerabilities and we're tasked with disabling TLS1.0 and 1.1. I am able to disable it for LDAP, but we're getting dinged on the iMonitor/DHost HTTP services. Is there a way to disable TLS1.0 and 1.1 on the HTTP object? I couldn't find any documentation on it and none of the attributes seemed to indicate that they would manage that like the ldapSSLconfig attribute did on the LDAP side. I suppose the alternative would be to just disable the HTTPS port somehow (maybe by just not defining the http.server.tls-port option, although that may just assign one dynamically).
Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Disable TLS1.0/1.1 for HTTP?

Is there a reason you have that socket open at all? Leaving it enabled
but blocked by the host-based firewall (which should block it by default,
unless you have disabled it for some odd reason) should prevent any
outsider from even seeing it see it as an option. You can still use it
yourself by either opening certain boxes to it, or tunneling in over SSH,
or accessing it from the box itself, but that's all assuming you even need
it at all.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Infinity9999 Absent Member.
Absent Member.

Re: Disable TLS1.0/1.1 for HTTP?

ab;2483455 wrote:
Is there a reason you have that socket open at all? Leaving it enabled
but blocked by the host-based firewall (which should block it by default,
unless you have disabled it for some odd reason) should prevent any
outsider from even seeing it see it as an option. You can still use it
yourself by either opening certain boxes to it, or tunneling in over SSH,
or accessing it from the box itself, but that's all assuming you even need
it at all.



Thanks, ab. We have both 8028 and 8030 open as default so that we can pull up iMonitor when we need to. I did read in an article that another option is just to not load the httpstk modules as well. I'll have to check to see what our options are for host-based firewall configs. I guess what I'm reading from that, though, is that there doesn't seem to be a simple "select your supported TLS version(s)" for the HTTP stack.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Disable TLS1.0/1.1 for HTTP?

I think, but do not know, that if you implement Suite B compatibility it
will disable anything other than TLS 1.2, though keep in mind this can
break all kinds of older clients, but of course that's basically your goal:

https://www.netiq.com/documentation/edirectory-9/edir_admin/data/b1i4rmmx.html


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.