The customer is planning to update the API Portal from version 3.5 to version 4.2.
But first, they need to know if the security vulnerabilities with TLS 1.0, various cipher suites are present in version 4.2. It is also necessary to know if these security vulnerabilities are covered with:
1. Installation and configuration out-of-the-box of the new version of the API Portal (4.2)
2. Requirements on the base architecture in which the new version of the API Portal will be installed.

Portal 3.5/4.2

For the Portal 3.5 Appliance SSLv2 is disabled by default in /etc/httpd/conf.d/ssl.conf via "SSLProtocol all -SSLv2". 
With the latest Appliance platform patch the SSLProtocol line can be set to "SSLProtocol TLSv1.2" which only enables TLS 1.2.
You can also customize the SSLCipherSuite. 

For Portal 4.2 Only TLSv1.2 is enabled. 


 

TLS v1.2 isn't enforced in Portal 4.2.0 GA. It has to be upgraded to 4.2.0.2 or later.