How to disable TLS v1 and v1.1 on VIOM webserver (port 14161)

book

Article ID: 100045158

calendar_today

Updated On:

Description

Description

Security scans can indicate possible vulnerabilities for VIOM on port 14161, using insecure TLS v1 and v.1.1.

To enable the tomcat webserver to use TLS v1.2 instead, follow these steps:

From the VIOM server --

  1. /opt/VRTSsfmcs/bin/vomsc --stop web
  2. Take backup of /opt/VRTSsfmcs/webgui/tomcat/conf/server.xml
  3. Open server.xml and modify/add sslProtocol and sslEnabledProtocols as below -

   

               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" keystoreFile="${vom.webgui.install.dir}/tomcat/cert/.keystore" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript" URIEncoding="UTF-8" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5" />

 

  1. Save and close server.xml
  2. /opt/VRTSsfmcs/bin/vomsc --start web

Now you can verify the connection using openssl commands from a manged host- the client handshake will fail on tls1 and tls-1

[managed-host] # openssl s_client -connect :5634 -tls1
CONNECTED(00000003)
140599050246032:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg  : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1553800825
    Timeout  : 7200 (sec)

...

Compare this to a working SSL handshake, with TLS v1.2:

 

[managed-host] # openssl s_client -connect :5634 -tls1_2
CONNECTED(00000003)
depth=0 CN = root, OU = server101.samg.local, O = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = root, OU = server101.samg.local, O = localhost
verify return:1
---
Certificate chain
 0 s:/CN=root/OU=server101.samg.local/O=localhost
  i:/CN=root/OU=server101.samg.local/O=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDcDCCAligAwIBAgIBADANBgkqhkiG9w0BAQsFADBCMQ0wCwYDVQQDDARyb290

...

Issue/Introduction

How to disable TLS v1 and v1.1 on VIOM webserver (port 14161)
Powered by Wolken Software