IT Process Automation

Expand all | Collapse all

Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

  • 1.  Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted 8 days ago
    Edited by Simran Kaur 8 days ago


    Hi team,


    On running vulnerability test on ITPAM Application server, the risk severity recorded was High and the resolution suggested was to disable SSL 2.0, SSL 3.0 and enable TLS 2.0.

    We have performed above action by updating Registry key path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    However, after performing above, the issue remains there.

     

     

    Kindly suggest the way to disable SSL 2.0, SSL 3.0 and enable TLS 2.0 using ITPAM application running on JBOSS.



  • 2.  RE: Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted 8 days ago
    Dear Simran Kaur.

    Disabling ciphers for an open Java application server is a process documented by the manufacturer of the application server. This tells me for JBoss on Windows you need to edit standalone.xml, not the registry:

    https://abhirampal.com/2015/07/23/disable-ssl-v3-on-jboss-as-7-1-1/

    There appears to be a wealth of further tutorials on this topic, e.g. https://www.google.de/search?q=jboss+disable+ssl+v3​ or similar unearthes various write-ups how to go about this.

    Also, please note that this is a public and openly searchable forum. I appreciate you posting helpful background information, but you may want to rethink posting live vulnurability reports of such degree of detail to a forum virtually everyone can read.

    Kind regards,
    Carsten Schmitz

    ------------------------------
    I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
    ------------------------------



  • 3.  RE: Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted 8 days ago
    ​Oh, and that registry key appears to govern ciphers used by Active Directory. I don't think it does anything for JBoss.

    ------------------------------
    I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
    ------------------------------



  • 4.  RE: Disable SSL 2.0, SSL 3.0 and enable TLS 2.0

    Posted 2 days ago
    Hi Carsten,

    Thank you for quick repsponse.

    However, I was not able to find any standalone.xml in Installation directory(checked in Windows Directories too)
    I found server.xml in JBOSS_HOME/jboss-as/server/$JBOSS_PROFILE/deploy/jbossweb.sar/server.xml and made required changes in the
    "sslProtocols" field.
    But the ITPAM orchestrator service is impacted due to this, and is getting automatically disabled after few minutes of enabling it.


    I rolled back the changes in the file, still the issue remains.