Version
Cb Response 5.1.x, 5.2
Issue
A security vulnerability assessment has determined that TLSv1 and TLSv1.1 have a security vulnerability and should be disabled
Solution
Warning: TLSv1.2 might need to be enabled in older versions of windows and browsers may need to be upgraded to the latest versions. Check here for more information:
Browser support: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
Windows support: Support for SSL/TLS protocols on Windows – Unleashed
Updating Windows: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-s...
6.1
TLSv1 and TLSv1.1 are disabled by default in 6.1
For prior versions, TLSv1 and TLSv1.1 can be removed from the nginx configuration file for your corresponding version:
5.2
For 5.2 this configuration moved to /etc/cb/nginx/conf.d/includes/cb.server.body
Check here for more information: 5.2 Nginx Configuration Changes
This line can be changed from:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
To:
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1.2; |
Please restart nginx to load changes:
5.1
The nginx configuration file (ending in .conf) in the /etc/cb/nginx/conf.d/ directory:
/etc/cb/nginx/conf.d/cb.conf or /etc/cb/nginx/conf.d/cb-multihome.conf
If the UI is over port 8443, this is likely to be cb-multihome.conf. Otherwise for port 443 it will be cb.conf.
Note: /etc/cb/nginx/conf.d/cb.conf is a child configuration file to the one located in /etc/cb/cb.conf