CA-eHealth HOW TO DISABLE TLS1.0

Document ID : KB000097716
Last Modified Date : 06/06/2018
Show Technical Document Details
Introduction:

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

Question:
PCI audit reported "eHealth monitoring boxes have TLS 1.0 turned on. They need to have TLS 1.0 disabled ASAP". I am on eHealth version: 6.3.3.01 D0 in Linux RHEL7.4. Please help me how to disable TLS 1.0.
Environment:
ehealth 6.3.x
Answer:

This issue is with openSSL.

In eHealth we use this library.

Therefore, to negate this vulnerability, you should make these changes to your environment:

Add -strongCipher and -fips to your nhWebProtocol command

E.g. nhWebProtocol -mode https -port 443 -hostname `hostname` -strongCipher -fips

Additional Information:
nhWebProtocol --h will display usage for this command.

more details are also available in the
eHealth Command Reference Guide.