This article describes how to change the cipher list and Transport Layer Security (TLS) in the following versions:
By default, SSL protocol versions 2.0 and 3.0 are considered weak and are restricted in the
BlacklistedProtocols.properties exclusion file.
Weak ciphers (ciphers with a key length < 128 bits) are restricted in the
.properties exclusion file. Both files can be manually modified to restrict additional protocols or ciphers.
BlacklistedProtocols properties file (\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\conf\BlacklistedProtocols.properties) can be modified to include additional TLS versions. To do this, add the protocol to the bottom of the list using a standard text editor. Save the file, and restart the Enterprise Gateway. Always create a backup of the original file before making changes.
Follow these steps to restrict ciphers on the Self Service Portal (SSP) IdP, VIP Manager IdP, and the VIP Enterprise Gateway:
Important: Symantec recommends always running the latest available VIP software. Run LiveUpdate from the VIP EG console, or manually download updates from https://manager.vip.com.
.propertieslocated at <VIPEG_INSTALLATION>/conf/weakciphers.properties.
.propertiesfile into this same folder.
.properties file contains two sections: #Weak SSL Ciphers and #Weak TLS Ciphers. Additional ciphers can be blocked by adding them to this list (IANA format). Always create a backup of the original file before making changes.
- Rollback procedures for VIP Enterprise Gateway 9.7 or VIP Enterprise Gateway 9.8
Perform these steps if the above solution fails:
Important: VIP SSP IdP Proxy development ended with version 9.7. Symantec recommends replacing it with an alternative reverse proxy solution (sample Squid reverse proxy configuration).
In the SSP IdP Proxy, by default, SSL protocol versions 2.0 and 3.0 are considered weak and are listed in the
jetty.xml file located at SSP IDP Proxy Home/server/etc. The jetty.xml file can be modified to restrict any TLS protocol such as SSL or weak cipher such as RC4 when potential vulnerabilities are detected.
- Modifying the VIP SSP IDP Proxy
(Note: VIP Self-Service Portal IdP proxy prior to 9.7 should update the VIP Enterprise Gateway and proxy to version 9.7 or higher before applying these steps. The weak cipher concept is not available in older versions or supports only limited blacklisting capabilities of weak cipher suites).
Follow these steps to modify the VIP Self Service IdP Proxy component:
.propertiesby following the instruction above.
jetty.xmllocated at <SSP_PROXY_INSTALLATION>/server/etc/