ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


SSL-TLS Versions Supported

This entry from Security Metrics indicates that they can determine which SSL/TLS versions are used in your web services. In and of itself this is not a risk but you may consider using tighter versions. However, using tighter versions will not change the results of this entry.

ClearCenter response

Short response

The negotiation of SSL calls for offering supported protocols by design. This is not indicative of a specific risk or vulnerability.

Long response

When computers begin SSL communication, they will negotiate which version of SSL they will use to communicate. This is called for in the protocol and in itself does not pose a risk to the system or indicate a vulnerability.

Resolution

No action required.

If you want to change the behavior of your web server to ONLY allow strong encryption, perform the following steps:

First, take a look at what a weak connection looks like by running the following:

openssl s_client -connect localhost:443 -cipher MEDIUM

This should give you a long and valid response. Second, connect to your server via command line and modify the following file using your favorite editor (i.e. nano, vi, emacs, et al). Modify the /etc/httpd/conf.d/ssl.conf file.

vi /etc/httpd/conf.d/ssl.conf

Change these lines:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

to this:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:!MEDIUM:+HIGH

Third, save the file and reload the httpd service.

service httpd reload

Fourth, connect again to the httpd service using the same command as before:

openssl s_client -connect localhost:443 -cipher MEDIUM

You should get rejected this time. Now try with only high levels of encryption:

openssl s_client -connect localhost:443 -cipher HIGH

You should get a connection and a lot of output just like at the first, but this time it is more secure.

content/en_us/kb_3rdparty_security_metrics_ssl_-_tls_versions_supported.txt · Last modified: 2015/01/29 09:49 (external edit)

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_3rdparty_security_metrics_ssl_-_tls_versions_supported&1563305002