SSv3L disabling an set TLSV1.0 only instructions.

Document ID : KB000015020
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How to disable SSLv3 protocol from CA XCOM configssl.cnf and set TLSV only?

Environment:
CONFIGSSL.CNF is used by CA XCOM Data Transport to configure OpenSSL.This file is located in the config directory in?XCOM home directory.
Answer:

On the distributed versions of CA XCOM Data Transport you would specify SSL_METHOD to TLS in CONFIGSSL.CNF for to disable SSLv3 as follows:

# Mandatory, note that CA-XCOM supports v3, tlsv1, tlsv1.1, tlsv1.2.

# default "all"

[SSL_METHOD]

INITIATE_SIDE = tls

RECEIVE_SIDE  = tls

 

The actual SSL and TLS protocols are further tuned through options. By using SSL_OPTION (and removing the unwanted protocol versions with SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3), then you will effectively use TLS v1.0 and above, including TLS v1.2. You can also use SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 if you want to use the TLS 1.2 protocol only.

SSLv3 can be used only with FIPS_MODE=NO in XCOM.GLB. It uses the same cipher suites as TLSv1 with FIPS_MODE=NO.