cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Changing SSL Methods

So, in light of the recent Heartbleed attacks, I've been encouraged into looking int getting all our internet-facing websites more secure.  I've been running tools at Qualys SSL Labs - Projects / SSL Server Test to test, and our WHD server is currently getting a rating of C, largely limited by the fact that we only have SSL 3 and TLS 1.0 enabled in the protocols for SSL.

So I did some digging around on our CentOS box that runs WHD, and found the server.xml in /usr/local/webhelpdesk/bin/tomcat/conf/.  We modified the file to have TLS 1.0 to TLS 1.2 and also SSL v3.  I did a restart on WHD, and the changes disappeared.  It appears that on restart WHD is overwriting the server.xml file, which is frustrating.

Does anyone know how we can enable TLS 1.1 and TLS 1.2 for this server?

5 Replies
Level 12

You would need to change the cypher suites used, but do it in the /conf/tomcat_server_template.xml file in the following section;

@@@WEBHELPDESK_SSL_START@@@
<Connector port="@@@WEBHELPDESK_SSL_PORT@@@" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="@@@WEBHELPDESK_KEYSTORE@@@"   
           keystorePass="@@@WEBHELPDESK_KEYSTORE_PASS@@@"
     keystoreType="@@@WEBHELPDESK_KEYSTORE_TYPE@@@"
           @@@WEBHELPDESK_ADDRESS@@@
           compression="on"
           compressionMinSize="2048"
           noCompressionUserAgents="gozilla, traviata"
           compressableMimeType="text/html,text/xml,text/css,test/javascript,application/javascript,application/x-javascript,application/ecmascript,text/ecmascript"
     ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
/>
@@@WEBHELPDESK_SSL_STOP@@@ -->

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,

   TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,

   TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

has brought us from a C to a B, we're still using TLS 1.0 and SSLv3, but the Key Exchange and Cipher Strength has shot up significantly.  I'm still gonna work on getting the TLS 1.1 and TLS 1.2 setup, but we're better now than before, so we'll take it.

0 Kudos

I just did the same test this morning and was concerned about my 'C' rating as well. After implementing a change of ciphers, I'm now getting a 'B' also. Much better! Have you made any progress on getting TLSv1.2 enabled?

0 Kudos

Yeah, I found that file and added sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3" but didn't futz with the cipher suites.  Making the sslEnabledProtocols change caused the server to not startup correctly, saying "web peer not authenticated".

I'll make this change in a little bit and try again, some other work came up.

Thanks for the reply!

0 Kudos

I got the same error until I noticed that, though Java SE 1.7.0_65 was installed, the system defaulted to using 1.6.0_65 provided by Apple. I installed Java 7 JDK Update 65 (as per this forum post: osx - Installed Java 7 on Mac OS X but Terminal is still using version 6 - Stack Overflow) and then added sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3" the /conf/tomcat_server_template.xml file. Help desk is running fine now but SSLLabs still shows that TLSv1.1 and TLSv1.2 are not enabled. Back to the drawing board...

I know you're running on CentOS so maybe this won't apply in your situation.