5 Replies Latest reply on Jul 19, 2014 4:49 PM by chase.btb

    Changing SSL Methods

    masantangelo

      So, in light of the recent Heartbleed attacks, I've been encouraged into looking int getting all our internet-facing websites more secure.  I've been running tools at Qualys SSL Labs - Projects / SSL Server Test to test, and our WHD server is currently getting a rating of C, largely limited by the fact that we only have SSL 3 and TLS 1.0 enabled in the protocols for SSL.

       

      So I did some digging around on our CentOS box that runs WHD, and found the server.xml in /usr/local/webhelpdesk/bin/tomcat/conf/.  We modified the file to have TLS 1.0 to TLS 1.2 and also SSL v3.  I did a restart on WHD, and the changes disappeared.  It appears that on restart WHD is overwriting the server.xml file, which is frustrating.

       

      Does anyone know how we can enable TLS 1.1 and TLS 1.2 for this server?

        • Re: Changing SSL Methods
          conners

          You would need to change the cypher suites used, but do it in the /conf/tomcat_server_template.xml file in the following section;

           

          @@@WEBHELPDESK_SSL_START@@@
          <Connector port="@@@WEBHELPDESK_SSL_PORT@@@" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS"
                     keystoreFile="@@@WEBHELPDESK_KEYSTORE@@@"   
                     keystorePass="@@@WEBHELPDESK_KEYSTORE_PASS@@@"
               keystoreType="@@@WEBHELPDESK_KEYSTORE_TYPE@@@"
                     @@@WEBHELPDESK_ADDRESS@@@
                     compression="on"
                     compressionMinSize="2048"
                     noCompressionUserAgents="gozilla, traviata"
                     compressableMimeType="text/html,text/xml,text/css,test/javascript,application/javascript,application/x-javascript,application/ecmascript,text/ecmascript"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
          />
          @@@WEBHELPDESK_SSL_STOP@@@ -->
          1 of 1 people found this helpful
            • Re: Changing SSL Methods
              masantangelo

              Yeah, I found that file and added sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3" but didn't futz with the cipher suites.  Making the sslEnabledProtocols change caused the server to not startup correctly, saying "web peer not authenticated".

               

              I'll make this change in a little bit and try again, some other work came up.

               

              Thanks for the reply!

              • Re: Changing SSL Methods
                masantangelo

                ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

                   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,

                   TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,

                   TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

                 

                has brought us from a C to a B, we're still using TLS 1.0 and SSLv3, but the Key Exchange and Cipher Strength has shot up significantly.  I'm still gonna work on getting the TLS 1.1 and TLS 1.2 setup, but we're better now than before, so we'll take it.