Disabling SSL Medium & Weak Cipher Suites in CA eHealth
Article ID: 49857
Updated On:
Products
Issue/Introduction
SSL Medium & Weak Cipher Suites Supported
The eHealth host supports the use of SSL ciphers that offer either weak encryption:
- SSL Version 2 (v2) Protocol Detection
- SSL Anonymous Cipher Suites Discovery
Environment
Resolution
If there is concern about support for SSLv2, our SSL configuration does provide the ability to disable SSLv2. To disable support for all SSL version 2.0 ciphers and specify that only SSL version 3.0 ciphers are supported, run the command nhWebProtocol with the -disableSSLv2 parameter. For example:
nhWebProtocol -mode https -hostname My_host.com -disableSSLv2
If SSL had previously been configured without specifying -disableSSLv2, the command would need to be run again.
The 'nhWebProtocol -disableSSLv2' command generates the parameter:
SSLCipherSuite ALL
In order to address SSL anonymous ciphers & medium & weak ciphers, the parameter should be the following:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
So the $NH_HOME/web/httpd/httpd.tpl file can be modified as follows:
# Custom Protect Section
SSLProtocol -ALL +TLSv1.2 +TLSv1.1
SSLCipherSuite ALL:!SSLv2:!SSLv3:!aNULL:!eNULL:!LOW:!EXP:!3DES:!RC4:!MD5:!SEED:!CAMELLIA:!DSS
# End Custom Protect Section
To take effect, the httpd.conf needs to be regenerated using the nhWebProtocol command. For example:
Additional Information
Feedback
