How can we disable SSLv2/SSLv3 protocol in Federation Manager?

Document ID : KB000038938
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

We need to disable SSLv2 protocols on Federation Manager. Could you please let us know how we can do it?

We should proceed the same way if we should disable SSLv3 as well?

 

Environment:  

FEDMA R12.x

 

Answer: 

In order to disable SSLv2 protocol, you will need to modify the following files:

1) server.conf file (under the \secure-proxy\proxy-engine\conf folder in your Federation Manager install path)

  • Search for the sslparams section, and verify SSLv2 is not enabled:
    <sslparams>
    # Set the SSL protocol version to support: SSLv2, SSLv3, TLSv1
    # WARNING: SSL version 2 should not be included due to security concerns.
    versions="SSLv3"
    ciphers="-RSA_With_Null_SHA,+RSA_With_Null_MD5,-RSA_With_RC4_SHA,+RSA_With_RC4_MD5,+RSA_With_DES_CBC_SHA,+RSA_Export_With_RC4_40_MD5,-RSA_Export_With_DES_40_CBC_SHA,+RSA_Export_With_RC2_40_CBC_MD5,-DH_RSA_With_DES_CBC_SHA,-DH_RSA_With_3DES_EDE_CBC_SHA,-DH_RSA_Export_With_DES_40_CBC_SHA,-DH_DSS_With_DES_CBC_SHA,-DH_DSS_Export_With_DES_40_CBC_SHA,-DH_Anon_With_RC4_MD5,-DH_Anon_With_DES_CBC_SHA,-DH_Anon_With_3DES_EDE_CBC_SHA,-DH_Anon_Export_With_DES_40_CBC_SHA,-DH_Anon_Export_With_RC4_40_MD5,-DHE_RSA_With_DES_CBC_SHA,-DHE_RSA_Export_With_DES_40_CBC_SHA,-DHE_DSS_With_DES_CBC_SHA,-DHE_DSS_Export_With_DES_40_CBC_SHA"
    fipsciphers="+DHE_DSS_With_AES_256_CBC_SHA, +DHE_RSA_With_AES_256_CBC_SHA, +RSA_With_AES_256_CBC_SHA, +DH_DSS_With_AES_256_CBC_SHA, +DH_RSA_With_AES_256_CBC_SHA, +DHE_DSS_With_AES_128_CBC_SHA, +DHE_RSA_With_AES_128_CBC_SHA, +RSA_With_AES_128_CBC_SHA, +DH_DSS_With_AES_128_CBC_SHA, +DH_RSA_With_AES_128_CBC_SHA, +DHE_DSS_With_3DES_EDE_CBC_SHA, +DHE_RSA_With_3DES_EDE_CBC_SHA, +RSA_With_3DES_EDE_CBC_SHA, +DH_DSS_With_3DES_EDE_CBC_SHA"
    # Covalent SSL CA certificate bundle and certs path to be converted
    # The bundle and/or certs located at defined location will be converted
    # to binary (DER) format and loaded as SSLParams.
    # NOTE: Only put Base64 (PEM) encoded cert files/bundles in the covalent
    # certificate directory.
    cacertpath="C:\F6\CA\FederationManager\secure-proxy\SSL\certs"
    cacertfilename="C:\F6\CA\FederationManager\secure-proxy\SSL\certs\ca-bundle.cert"
    </sslparams>

2) httpd-ssl.conf file (under the \secure-proxy\httpd\conf\extra in your Federation Manager install path)

  • Please add this line inside VirtualHost section, after "SSLEngine on" line. (note: case is important)
    SSLProtocol all -SSLv2

 

This is also applicable for disabling SSLv3, where you should set on each file above, the following settings:

1) versions="TLSv1"

2) SSLProtocol all -SSLv2 -SSLv3