How to disable SSLv3 and RC4 ciphers in eHealth web server

Document ID : KB000093234
Last Modified Date : 04/05/2018
Show Technical Document Details
Introduction:
Security scans reveal use of unsupported protocols for the environment. Specifically the SSLv3 and RC4 Ciphers.
Background:
They must be disabled, or the server will be shut down and locked out of the network due to the potential security vulnerabilities the working protocol presents.
Environment:
All supported eHealth releases
Instructions:
Use -strongCipher option with the nhWebProtocol command.

nhWebProtocol -mode https -hostname <serverHostName> -port <WebServerPort> -strongCipher 

If not using SSL, set the -mode to http. 
Replace <serverHostName> with the servers real host name. 
Replace <WebServerPort> with the web servers port. 

This will trigger a re-write of the $NH_HOME/web/httpd/httpd.tpl file. Within we should see protocols disabled after having a leading exclamation point (!) character added to the protocol entry.

It should look something like this in the httpd.pl file:
SSLCipherSuite ALL:!SSLv2:!SSLv3:!aNULL:!eNULL:!LOW:!EXP:!3DES:!RC4:!MD5:!SEED:!CAMELLIA:!DSS
Additional Information:
Support recommends a web server services restart after this change, though it isn't a required step.