Enabling SSLv3 for Inbound Connections
search cancel

Enabling SSLv3 for Inbound Connections

book

Article ID: 42897

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Developer Portal CA API Gateway

Issue/Introduction

I need to enable weak ciphers that are no longer enabled due to the CVE-2014-3566 "POODLE" exploit.

Environment

Release:  9.X
Component: APIGTW

Cause

These weaker ciphers are no longer available by default due to the SSL 3.0 poodle exploit. 

Resolution

SSLv3 is no longer enabled by default as an offered cryptographic protocol. You will need to explicitly configure the Managed Listen Port that will be accepting traffic using SSLv3. To enable support for SSLv3 for a particular published Listen Port, do the following:
  1. Log into the Layer 7 Policy Manager as an administrative user.
  2. Select "Manage Listen Ports" from the "Tasks" menu.
  3. Select the listen port that will allow SSLv3 and select "Properties"
  4. Select the "Advanced" tab.
  5. Add overrideProtocols=SSLv2Hello,SSLv3,TLSv1
  6. Restart the Gateway appliance.
 
This will allow clients that permit SSLv3 to connect to the Gateway via SSLv3 over a specific port. If there is a need to only allow SSLv3 (and disallow TLS)--ensure TLSv1.1 and TLSv1.2 are not checked in the Listen Port properties.
 
Finally, you will only be able to make these changes against a listen port that is not currently used for administration. For example, you cannot reconfigure Port 9443 if you are connected to the Policy Manager on 9443.

Additional Information

Please note that these ciphers are disabled by default for a reason and that implementing them in your environment could lead to vulnerabilities and is recommended against.