How to disable SSLv3 and RC4 ciphers in eHealth web server
Article ID: 93234
Updated On:
Products
CA eHealth
Issue/Introduction
Security scans reveal use of unsupported protocols for the environment. Specifically the SSLv3 and RC4 Ciphers.
They must be disabled, or the server will be shut down and locked out of the network due to the potential security vulnerabilities the working protocol presents.
They must be disabled, or the server will be shut down and locked out of the network due to the potential security vulnerabilities the working protocol presents.
Environment
All supported eHealth releases
Resolution
Use -strongCipher option with the nhWebProtocol command.
nhWebProtocol -mode https -hostname <serverHostName> -port <WebServerPort> -strongCipher
If not using SSL, set the -mode to http.
Replace <serverHostName> with the servers real host name.
Replace <WebServerPort> with the web servers port.
This will trigger a re-write of the $NH_HOME/web/httpd/httpd.tpl file. Within we should see protocols disabled after having a leading exclamation point (!) character added to the protocol entry.
It should look something like this in the httpd.pl file:
SSLCipherSuite ALL:!SSLv2:!SSLv3:!aNULL:!eNULL:!LOW:!EXP:!3DES:!RC4:!MD5:!SEED:!CAMELLIA:!DSS
nhWebProtocol -mode https -hostname <serverHostName> -port <WebServerPort> -strongCipher
If not using SSL, set the -mode to http.
Replace <serverHostName> with the servers real host name.
Replace <WebServerPort> with the web servers port.
This will trigger a re-write of the $NH_HOME/web/httpd/httpd.tpl file. Within we should see protocols disabled after having a leading exclamation point (!) character added to the protocol entry.
It should look something like this in the httpd.pl file:
SSLCipherSuite ALL:!SSLv2:!SSLv3:!aNULL:!eNULL:!LOW:!EXP:!3DES:!RC4:!MD5:!SEED:!CAMELLIA:!DSS
Additional Information
Support recommends a web server services restart after this change, though it isn't a required step.
Feedback
Yes
No
Powered by
