• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 24 subscribers
  • Views 1111 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Changing SSL Methods

masantangelo

So, in light of the recent Heartbleed attacks, I've been encouraged into looking int getting all our internet-facing websites more secure.  I've been running tools at Qualys SSL Labs - Projects / SSL Server Test to test, and our WHD server is currently getting a rating of C, largely limited by the fact that we only have SSL 3 and TLS 1.0 enabled in the protocols for SSL.

So I did some digging around on our CentOS box that runs WHD, and found the server.xml in /usr/local/webhelpdesk/bin/tomcat/conf/.  We modified the file to have TLS 1.0 to TLS 1.2 and also SSL v3.  I did a restart on WHD, and the changes disappeared.  It appears that on restart WHD is overwriting the server.xml file, which is frustrating.

Does anyone know how we can enable TLS 1.1 and TLS 1.2 for this server?

  • 0

    You would need to change the cypher suites used, but do it in the /conf/tomcat_server_template.xml file in the following section;

    @@@WEBHELPDESK_SSL_START@@@
    <Connector port="@@@WEBHELPDESK_SSL_PORT@@@" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="@@@WEBHELPDESK_KEYSTORE@@@"   
               keystorePass="@@@WEBHELPDESK_KEYSTORE_PASS@@@"
         keystoreType="@@@WEBHELPDESK_KEYSTORE_TYPE@@@"
               @@@WEBHELPDESK_ADDRESS@@@
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/css,test/javascript,application/javascript,application/x-javascript,application/ecmascript,text/ecmascript"
         ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
    />
    @@@WEBHELPDESK_SSL_STOP@@@ -->
  • 0 in reply to conners

    Yeah, I found that file and added sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3" but didn't futz with the cipher suites.  Making the sslEnabledProtocols change caused the server to not startup correctly, saying "web peer not authenticated".

    I'll make this change in a little bit and try again, some other work came up.

    Thanks for the reply!

  • 0 in reply to conners

    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,

       TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,

       TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

    has brought us from a C to a B, we're still using TLS 1.0 and SSLv3, but the Key Exchange and Cipher Strength has shot up significantly.  I'm still gonna work on getting the TLS 1.1 and TLS 1.2 setup, but we're better now than before, so we'll take it.

  • 0 in reply to masantangelo

    I just did the same test this morning and was concerned about my 'C' rating as well. After implementing a change of ciphers, I'm now getting a 'B' also. Much better! Have you made any progress on getting TLSv1.2 enabled?

  • 0 in reply to masantangelo

    I got the same error until I noticed that, though Java SE 1.7.0_65 was installed, the system defaulted to using 1.6.0_65 provided by Apple. I installed Java 7 JDK Update 65 (as per this forum post: osx - Installed Java 7 on Mac OS X but Terminal is still using version 6 - Stack Overflow) and then added sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3" the /conf/tomcat_server_template.xml file. Help desk is running fine now but SSLLabs still shows that TLSv1.1 and TLSv1.2 are not enabled. Back to the drawing board...

    I know you're running on CentOS so maybe this won't apply in your situation.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.