Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Disabling TLSv1 and TLSv1.1

Disabling TLSv1 and TLSv1.1

Version

Cb Response 5.1.x, 5.2

Issue

A security vulnerability assessment has determined that TLSv1 and TLSv1.1 have a security vulnerability and should be disabled

Solution

Warning: TLSv1.2 might need to be enabled in older versions of windows and browsers may need to be upgraded to the latest versions. Check here for more information:

Browser support: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

Windows support: Support for SSL/TLS protocols on Windows – Unleashed
Updating Windows: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-s...

6.1

TLSv1 and TLSv1.1 are disabled by default in 6.1

For prior versions, TLSv1 and TLSv1.1 can be removed from the nginx configuration file for your corresponding version:

5.2

For 5.2 this configuration moved to /etc/cb/nginx/conf.d/includes/cb.server.body

Check here for more information: 5.2 Nginx Configuration Changes

This line can be changed from:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

To:

#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;

Please restart nginx to load changes:

service cb-nginx restart

5.1

The nginx configuration file (ending in .conf) in the /etc/cb/nginx/conf.d/ directory:

/etc/cb/nginx/conf.d/cb.conf or /etc/cb/nginx/conf.d/cb-multihome.conf

If the UI is over port 8443, this is likely to be cb-multihome.conf. Otherwise for port 443 it will be cb.conf.

Note: /etc/cb/nginx/conf.d/cb.conf is a child configuration file to the one located in /etc/cb/cb.conf

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-31-2016
Views:
1246
Contributors