Enabling SSLv3 for Inbound Connections
Article ID: 42897
Updated On:
Products
CA API Gateway
Issue/Introduction
There is a business requirement to enable weak ciphers that are no longer enabled due to the CVE-2014-3566 "POODLE" exploit.
Environment
API Gateway 9.X
Cause
These weaker ciphers are no longer available by default due to the SSL 3.0 poodle exploit.
Resolution
SSLv3 is no longer enabled by default as an offered cryptographic protocol. You will need to explicitly configure the Managed Listen Port that will be accepting traffic using SSLv3. To enable support for SSLv3 for a particular published Listen Port, do the following:
- Log into the Layer 7 Policy Manager as an administrative user.
- Select "Manage Listen Ports" from the "Tasks" menu.
- Select the listen port that will allow SSLv3 and select "Properties"
- Select the "Advanced" tab.
- Add overrideProtocols=SSLv2Hello,SSLv3,TLSv1
- Restart the Gateway appliance.
This will allow clients that permit SSLv3 to connect to the Gateway via SSLv3 over a specific port. If there is a need to only allow SSLv3 (and disallow TLS)--ensure TLSv1.1 and TLSv1.2 are not checked in the Listen Port properties.
Finally, you will only be able to make these changes against a listen port that is not currently used for administration. For example, you cannot reconfigure Port 9443 if you are connected to the Policy Manager on 9443.
Additional Information
Please note that these ciphers are disabled by default for a reason and that implementing them in your environment could lead to vulnerabilities and is recommended against.
Feedback
Yes
No
Powered by
