Disabling SSL Medium & Weak Cipher Suites in CA eHealth

Document ID : KB000049857
Last Modified Date : 16/08/2018
Show Technical Document Details
Introduction:
The company's Information Security Risk department has just performed a security test to eHealth and the following vulnerability is reported:

SSL Medium & Weak Cipher Suites Supported
Background:
The eHealth host supports the use of SSL ciphers that offer either weak encryption:
  1. SSL Version 2 (v2) Protocol Detection
  2. SSL Anonymous Cipher Suites Discovery
These are considerably easier to exploit if the attacker is on the same physical network.
 
Environment:
eHealth 6.2.x and 6.3.x
Instructions:

If there is concern about support for SSLv2, our SSL configuration does provide the ability to disable  SSLv2. To disable support for all SSL version 2.0 ciphers and specify that only SSL version 3.0 ciphers are supported, run the command nhWebProtocol with the -disableSSLv2 parameter. For example:

nhWebProtocol -mode https -hostname My_host.com -disableSSLv2

If SSL had previously been configured without specifying -disableSSLv2, the command would need to be run again.

The 'nhWebProtocol -disableSSLv2' command generates the parameter:

SSLCipherSuite ALL

In order to address SSL anonymous ciphers & medium & weak ciphers, the parameter should be the following:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

So the $NH_HOME/web/httpd/httpd.tpl file can be modified as follows: 

# Custom Protect Section
SSLProtocol -ALL +TLSv1.2 +TLSv1.1
SSLCipherSuite ALL:!SSLv2:!SSLv3:!aNULL:!eNULL:!LOW:!EXP:!3DES:!RC4:!MD5:!SEED:!CAMELLIA:!DSS

# End Custom Protect Section 

To take effect, the httpd.conf needs to be regenerated using the nhWebProtocol command. For example:

nhWebProtocol -mode https -port 443 -hostname My_host.com -fips
Additional Information:
For further information on disabling ciphers, please refer to the CA eHealth, Command and Environment Variables Reference Guide