IT Process Automation

  • Private Community
 View Only

  • 1.  Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted Dec 02, 2019 09:32 AM
    Edited by Simran Kaur Dec 03, 2019 03:14 AM


    Hi team,


    On running vulnerability test on ITPAM Application server, the risk severity recorded was High and the resolution suggested was to disable SSL 2.0, SSL 3.0 and enable TLS 2.0.

    We have performed above action by updating Registry key path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    However, after performing above, the issue remains there.

     

     

    Kindly suggest the way to disable SSL 2.0, SSL 3.0 and enable TLS 2.0 using ITPAM application running on JBOSS.



  • 2.  RE: Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted Dec 03, 2019 03:05 AM
    Dear Simran Kaur.

    Disabling ciphers for an open Java application server is a process documented by the manufacturer of the application server. This tells me for JBoss on Windows you need to edit standalone.xml, not the registry:

    https://abhirampal.com/2015/07/23/disable-ssl-v3-on-jboss-as-7-1-1/

    There appears to be a wealth of further tutorials on this topic, e.g. https://www.google.de/search?q=jboss+disable+ssl+v3​ or similar unearthes various write-ups how to go about this.

    Also, please note that this is a public and openly searchable forum. I appreciate you posting helpful background information, but you may want to rethink posting live vulnurability reports of such degree of detail to a forum virtually everyone can read.

    Kind regards,
    Carsten Schmitz


  • 3.  RE: Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted Dec 03, 2019 03:07 AM
    ​Oh, and that registry key appears to govern ciphers used by Active Directory. I don't think it does anything for JBoss.


  • 4.  RE: Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted Dec 09, 2019 04:28 AM
    Hi Carsten,

    Thank you for quick repsponse.

    However, I was not able to find any standalone.xml in Installation directory(checked in Windows Directories too)
    I found server.xml in JBOSS_HOME/jboss-as/server/$JBOSS_PROFILE/deploy/jbossweb.sar/server.xml and made required changes in the 
    "sslProtocols" field.
    But the ITPAM orchestrator service is impacted due to this, and is getting automatically disabled after few minutes of enabling it.


    I rolled back the changes in the file, still the issue remains.





    Original Message