search cancel

SSv3L disabling an set TLSV1.0 only instructions.

book

Article ID: 15020

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Windows XCOM Data Transport - Linux PC XCOM Data Transport - z/OS

Issue/Introduction



How to disable SSLv3 protocol from CA XCOM configssl.cnf and set TLSV only?

Environment

CONFIGSSL.CNF is used by CA XCOM Data Transport to configure OpenSSL.This file is located in the config directory in?XCOM home directory.

Resolution

On the distributed versions of CA XCOM Data Transport you would specify SSL_METHOD to TLS in CONFIGSSL.CNF for to disable SSLv3 as follows:

# Mandatory, note that CA-XCOM supports v3, tlsv1, tlsv1.1, tlsv1.2.

# default "all"

[SSL_METHOD]

INITIATE_SIDE = tls

RECEIVE_SIDE  = tls

 

The actual SSL and TLS protocols are further tuned through options. By using SSL_OPTION (and removing the unwanted protocol versions with SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3), then you will effectively use TLS v1.0 and above, including TLS v1.2. You can also use SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 if you want to use the TLS 1.2 protocol only.

SSLv3 can be used only with FIPS_MODE=NO in XCOM.GLB. It uses the same cipher suites as TLSv1 with FIPS_MODE=NO.