How to disable protocol SSL v3.0 completely in hub tunnels?

Document ID : KB000047006
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

- Can Hub Tunnel encryption use TLS v1.2 only? We want to eliminate the use of SSL v3.0 protocol in our communications, due to the known vulnerabilities that the SSL protocol has nowadays.

 

Answer: 

- Yes, if you select any of the TLS v1.2 ciphers published in the OpenSSL.org site https://www.openssl.org/docs/manmaster/apps/ciphers.html , all the communication will be encrypted using the correspondent algorithm and transported via the correspondent protocol. In this case TLS.

- If you check the hub logs, you will see some references to the SSL library:

Sep 7 11:29:48:956 [12132] hub: SSL using cipher: DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD

However, it’s important to remark the level of encryption and protocol that it’s being shown in the log message, as it’s identifying the technology that it’s being used, as highlighted below:

Sep 7 11:29:48:956 [12132] hub: SSL using cipher: DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD

 

Additional Information:

 

- It's also recommended to check the HUB release notes, available in the following link: https://docops.ca.com/ca-unified-infrastructure-management-probes/en/alphabetical-probe-articles/hub/hub-release-notes 

- If you need information about how to use a cipher in order to encrypt hub communications to a certain level, please check: https://docops.ca.com/ca-unified-infrastructure-management-probes/en/alphabetical-probe-articles/hub/hub-versions-7-8-7-6/v7-8-hub-im-configuration/v7-8-hub-im-gui-reference 

Below is a screenshot showing you the exact location where the cipher has to be entered:

HUB_Cipher.jpg

 

- As always, please contact CA Technologies support for CA UIM if you have further questions.