Disable ssl version2 on CSS

Hi all,
i know that SSL version3 by default is enabled on the CSS.
is there anyway to disable SSL version 2 ?
Please Advice
Hasan

Are you referring to the ssl module ?
Here is what we support on the module :
CSS11503-2(config-ssl-proxy-list[gdufour])# ssl-server 1 version ?
ssl-tls SSL v3 & TLS v1
tls TLS Version 1
ssl SSL Version 3
No ssl version 2.
Gilles.

Similar Messages

How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?

my Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but suddenly i am getting complaints from my customers that they can not browse site on chrome version 40 and above and firefox 34 and above.
I searched for this issue and found that there is POODLE attack which may causing this issue. now the only solution i can see is to disable SSL v3 on server.
Can any help me out with the process or an idea, How to disable SSL V3 on this Olde server? its sun microsystem server.

Hi Aamir,
   This is old software, been a while since I saw one of these.
    Normally when SSL was setup there were two listeners, one with SSL and one without, in a different port, so you could try to find this second port, which may work without any need to change the configuration.
    Else, try to check on the OAS manager (Usually on port 8888), the HTTP listener -> WWW -> Network, if there is a setup only for the SSL port, you will need to add a new line, with the same configuration, but a different port and the security disabled.
    Also, there may be some setting on the application itself for the url path. If so, when you navigate in the application it will try to redirect you back to the SSL port. In that case you will need to figure out where to change that, which depend on the application itself.
   Found this page on google with the process to setup SSL on OAS 4.0, you need to do the inverse of step 5.
WoSign Support: SSL Certificates Installation Instruction - Oracle Web Server (OAS 4.0.8)
Regards,
Luis

Disable SSL 2.0 on Windows 2008 R2

Hi.
Can anyone give me a step by step on how to disable SSL 2.0 on IIS 7.5 please? I cannot find an article for it and those refering to IIS 7.0 do not seem to work.
Regards,
Morris
Best Regards, Morris Fury AFRIDATA.net

Morris -
Client-side SSL 2.0 is disabled by default on Windows 7 and Windows Server 2008 R2, which means that, when initiating an SSL connection from either of those two OSes that SSL 2.0 will not be sent as a supported protocol that the server can use. You can see
this in the following registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Value: DisabledByDefault
Server-side SSL 2.0 is not, however, disabled by default. This means that some other client, when initiating an SSL connection
to Windows Server 2008 R2 can include SSL 2.0 in the list of supported protocols. If SSL 2.0 is the only protocol in common between the client and the server, the server will select it.
Functionally, there is not much difference between setting Enabled to 0 and setting DisabledByDefault to 1.
Hope this helps,
Jonathan Stephens
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.

Disabling SSL in Aqualogic Service Registry

Hi All,
i have installed and deployed Aqualogic Service Registry (ALSR) on weblogic server 9.2. However, by default, SSL is enabled during installation. I tried disabling SSL using Weblogic Admin Console but that didn't help. Is there a way i can configure ALSR war to disable SSL?
--Vivek

Hi James,
As I am using ALSR and not OSR and also, deploying it on weblogic server (since, ALSR doesn't support oc4j server), I don't understand why i need to put this question in SOA suite forum.
Installation of ALSR creates registry.war that eventually gets deployed on weblogic server. ALSR doesn't allow me to choose SSL enabling, it choses it by default which is not the case in OSR.
--Vivek

Disable SSL 3.0 in DSEE 7

Hello,
Is there a way to disable SSL 3.0 in DSEE 7, such that only TLS 1.0/1.1/1.2 can be used? I Googled for this and found MOS document 1950334.1, but the instructions in the document only apply to a DS proxy server.
Thanks,
Dave

Disabling SSLv3 by changing the encryption settings but it did not actually work. I loaded the LDIF and restarted the instance, and LDAP indicated that the change took effect:
root@ldap-test:/# ldapsearch -D "cn=Directory Manager" -w xxxxxxxx -b "cn=config" -s sub '(cn=encryption)'
version: 1
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSLServerAuth: cert
nsSSL2: off
nsKeyfile: alias/slapd-key3.db
nsCertfile: alias/slapd-cert8.db
nsSSL3Ciphers: all
nsSSL3: off
However, a test with openssl with the "-ssl3" option (forcing it to only use SSLv3) still connected:
$ /usr/local/openssl-1.0.1k/bin/openssl s_client -connect ldap-test.our-domain.edu:636 -ssl3
CONNECTED(00000003)
... <showed our server certificate, etc.> ...
If SSLv3 were actually disabled, that openssl test would have failed with an error. Disabling SSLv3 is required by our auditing tool because of the POODLE vulnerability, and a system cannot pass our audit unless SSLv2 and SSLv3 are disabled completely, but TLS 1.0/1.1/1.2 are still available.

Apple Mail 8.2 disables SSL to POP3 server (Securityrisk)

Hi,
Setup
Computer:
OSX 10.10.2
Mail 8.2 (2070.6)
Mail server A
POP3 port 995 SSL
(Non SSL - port 110 - is disabled due to security reasons)
Mail server B
POP3 port 110
POP3 port 995 SSL
Summary
OSX Mail client removes SSL support on non regular intervals for POP3 connections. For the connections that support regular non SSL POP3 (port 110) this reduces the security, but the mail is available. This was noticed by me because one ISP has locked down their POP3 server to SSL only due to security reasons. After reenabling SSL on the connection (Mail -> Preferences -> Accounts -> Account in question -> Advanced) the connection remains with SSL support for a while, then it is removed again. As OS X Mail has no token to identify SSL or regular port 110 connection this is transparant to the user, unless the server does not support regular POP3, at which time a error is generated.
Comments
1) This seems to be a security related issue with mail where OS X mail downgrades from SSL connection to regular port 110 POP3 traffic
2) If corrected the connection is downgraded again within a couple of days, if not sooner.
3) Connections to POP3 servers supporting port 110 are "unaffected" with the exception of the security issue of a downgrade
4) Connections to POP3 servers that only support SSL - port 995 - are not able to complete until SSL has been reenabled manualy.
5) Downgrade bug has been seen only on my machine, so it might not be something mainstream. Machine is updated to latest patches.
Questions
1) As this has only been observed on my machine, has anybody else seen this POP3 SSL downgrade bug?

Same problem. The following information is from Symantec:
To disable SSL\TLS
Open Apple Mail.
Click the Mail menu and select Preferences.
Select your mail account on the left under Accounts, then click the Advanced tab.
Confirm the check box labeled "use SSL" is not checked next to ports. If necessary remove the checkmark.
Click the Account Information tab and select Edit Server list from the drop down next to Outgoing Mail Server.
Click the Advanced tab and confirm there is not a checkmark next to Use Secure Socket Layer(SSL).
Click OK and close the accounts. Window and choose to save.
Click Save to update your settings.
Restart Apple Mail.
This does work for a while but eventually Mail reverts to enabling Use SSL and disabling Allow Insecure Authentication but only one some of my addresses but not all. Some accounts POP logs-in but not SMTP.

RDS 2012 issues after disabling SSL 3.0

Hi all, we have Server 2012 R2 RDS infrastructure. I have 2 servers running RD web, gateway, and conn broker using Windows network load balancing. 3 RDSH servers behind them handling user workload.
Last night I disabled SSL 3.0 on both of these servers using the registry key 'Enabled' set to zero in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server. Servers were rebooted after this change.
I did not disable SSL 3.0 on the RDSH servers yet, but I don't think it matters in this situation because the SSL traffic only passes between the remote computer and the RDGW server, AFAIK.
Today all the remote users were having issues with remote desktop sessions disconnecting them, but they would reconnect after a short time. They all told me this is unusual, normally the connections are quite stable. After I turned SSL 3.0 back on and rebooted,
no more issues, users are happy. Has anyone else experienced this? Is there anything that can be done to stabilize connections while SSL 3.0 is disabled?

Hi,
Thank you for posting in Windows Server Forum.
Did they receive any precise error when SSL3 is disabled?
What’s your client OS and RDP version using for your network?
If you would like to continue with SSL3 disabled you may try to change the RDP Security Layer under Security Layer.
When you are using RD Security Layer you are susceptible to MITM attack because there is no Server Authentication. I suggest you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.
You can also refer this article for other information.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support

ILOM, how to disable SSL v2?

Hello
Is there any possibility to disable SSL v2?
I want to use HTTPS to connect to the server (Java Console) but it have to use SSL v3 only. Once trying to connect with v2 of SSL connection should not be established.
Is there any possibility to do this?
SP Firmware Version is: 3.0.3.20.e
SP Filesystem Version 0.1.22
Edited by: Luceks on Sep 2, 2009 4:28 AM

Hi.
You should have a SSL section under:
1) Log in to the ILOM-SP WEB interface.
2) Click --> Management --> SSL (or similar...)
3)
The SSL page appears. There're some sections to the SSL page.
One section includes targets and properties and you can configure the SSL settings displayed
in this section page (example):
**SSL**
State = Enabled | Disabled
Roles = Administrator | Operator | Advanced | (none)
Address = 0.0.0.0
Port = 0
4) Save settings page, to save any changes made to this section.
s.

Disable SSL v2 and weak cipers on a RV325 for PCI compliance

How do you disable SSL v2 and weak cipers on a RV325 to become PCI compliant?

Hello
per Cisco RVS4000 product site information this router is already end of life since January 30, 2010. Last date of support is also already missed - April 30, 2013. This means that according Cisco policy no further updates to existing firmware will be done - neither security-related fixes. And I am afraid that this is fact with which you have to deal.
regarding RV320 - it seems that there is no any possibility to restrict SSL/TLS protocol/version by your own in current version. Francis - I would recommend you to open service request to Cisco SMB Support if you still have valid support contract. I hope there is good chance to get it fixed as this security related inability.
lastly - for all products (including RVS4000) - I would suggest to keep management interface of router separated most as possible - i.e. restrict access to management interface only to single subnet/host(s) only (via Firewall feature). With having administration/management subnet and certain client(s) which is a part of this subnet can help to avoid eavesdropping your connection to router. Of course disabling remote management is the best thing you can do in any case (including avoid of possible firmware bugs, loggin attempts and so on).

Disabling SSL open domain server. How?

Hi all,
Can anybody elicidate to me how I can disable the SLL on a Open Domain OSX server?
In
http://support.apple.com/kb/HT5300
it is explained that you have to disable SSL prior to updating OSX from Mountain Lion with OSX server 2.2 to OSX MAvericks with server 3.
Any help is highly appreciated. Thanks already

Hi UptimeJeff,
Thanks for the reply.
I have rolled back three times from Mavericks to Mountain Lion server and will now stay there for some month until the quirks are ironed out. Mavericks OSX server is just to cumbersome right now.
So no email log to check at the moment.
But the email archives were not too big and the server had a full good night to do that.
The problem was strictly that server 3 app does not open after download and install and therefore does not let me finish configuration of the server.
Thanks anyway.

I disabled SSL v3, now a POP3 connection is failing

I disabled SSL v3.0 to protect us from the Poodle vulnerability, now I find a vendor, providing a service deemed as critical, is unable to connect over POP3. It was working until Friday, when SSL v3.0 was disabled in the registry, since then the connection
has been failing. I have deleted the registry key I created to disable this, no change. Any ideas what I need to do to get this working again?
I am using Exchange 2013 on Server 2012 R2

Hi,
Disabling the use of SSL v3 on the client will prevent all clients to use SSL v3.0 to establish SSL channels, these will use TLS instead; the consequence of this is for services (applications servers) who don’t support TLS, who only rely
on SSL 3.0 for SSL encryption => clients/browsers without support of SSL v3.0 won’t be able to access services using SSL v3.0 only; they just won’t understand other SSL encryption protocols than SSL v3.0. For more information, please refer to:
Vulnerability in SSL 3.0 – Poodle attack and Exchange 2010 or Exchange 2013
Therefore, only if the application accessing uses only SSL 3.0 would be affected. Please contact your vendor which provide
a service deemed as critical to confirm if it has TLS enabled by default. Then you can change the POP3 connection to use TLS to have a try.
Regards,
Winnie Liang
TechNet Community Support

Disable SSL V3

Hi There,
Can we disable SSL V3 on Lync 2010 Director Server and Front End server? These servers are failing Security Scans and we need to disable it. If we disable, will there be any impact?

THE RECOMMENDATION Ideally
Would be to disable SSLV3 across all Lync server Roles and other integration components such as Exchange server and SharePoint servers and other trusted application that communicate with the Lync Servers
Here Technet Guideline around it
https://technet.microsoft.com/en-us/library/security/3009008.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph

Problems Disabling SSL v2

Our organization is in the process of coming into PCI compliance. If you've had to do this, then you know that you need to disable SSL v2. We have three servers running IIS which are outward facing. All three are running Windows Serer 2008 R2. Two are general
Web servers, the third is also running Exchange Server 2010 with OWA. The two Web servers are compliant, and a portion of the SSLLABS.COM test shows:
Protocols
TLS 1.2
Yes
TLS 1.1
Yes
TLS 1.0
Yes
SSL 3
Yes
SSL 2
No
however, even though I ensure that the registry settings are the same on the Exchange server as on the Web servers, I get this as a result:
Protocols
TLS 1.2
No
TLS 1.1
No
TLS 1.0
Yes
SSL 3
Yes
SSL 2 INSECURE
Yes
Yes, every time I've made a change, I've run gpupdate /force then rebooted. The registry settings are not reverting; I look after the reboot and they're what I expect. The following is what is in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
Any help is appreciated.
Jake

I have used the Nartac tool, clicked the PCI button, and rebooted the server. This did not work. Also, per MS KB article 187498 "How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services" (http://support.microsoft.com/kb/187498/en-us)
the example given is for PCT 1.0 but is implied for any of the protocols I believe:
To disable the PCT 1.0 protocol so that IIS does not try to negotiate using the PCT 1.0 protocol, follow these steps:
Click Start, click Run, type regedt32 or type
regedit, and then click OK.
In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders   \SCHANNEL\Protocols\PCT 1.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click
OK.
Note If this value is present, double-click the value to   edit its current value.
Type 00000000 in Binary Editor to set the value of the new key equal to   "0".
Click OK. Restart the computer.
So to recap, set Enabled to 0 is not enabled, and set Enable to 1 is enabled. Or am I reading this completely wrong?

Disable SSL/TLS renegotiation

Is it possible to disable SSL/TLS renegotiation in SJSWS 7.0?
I'm asking because of the recently published SSL/TLS protocol flaw (CVE-2009-3555) described here: [http://extendedsubset.com/?p=8|http://extendedsubset.com/?p=8]
Thanks and regards,
Jostein Tveit.

The TLS Renegotiation vulnerability is now addressed in Sun Web Server 7.0u7.
For more details, please refer to
[http://blogs.sun.com/jyrivirkki/entry/more_thoughts_on_web_server|http://blogs.sun.com/jyrivirkki/entry/more_thoughts_on_web_server] , forum announcement
[http://forums.sun.com/thread.jspa?threadID=5420698&tstart=0|http://forums.sun.com/thread.jspa?threadID=5420698&tstart=0] and
the blog [http://blogs.sun.com/webtier/entry/sun_web_server_7_0u7|http://blogs.sun.com/webtier/entry/sun_web_server_7_0u7] .

Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior

Dear experts
I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
content mysite-SSL
vip address 10.0.0.1
add service s01
add service s02
add service s03
port 443
protocol tcp
advanced-balance ssl
application ssl
flow-timeout-multiplier 225
active
If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
However, my stats show:
Sticky Statistics - SFM Slot 1, Subslot 1:
Total number of new sticky entries is 4937735
Total number of sticky table hits is 33476045
Total number of sticky rejects (no entry) is 0
Total number of sticky collision is 0
Total number of available sticky entries is 0
Total number of used sticky entries is 131071
Total L3 sticky entries are 131
Total L4 sticky entries are 0
Total SSL sticky entries are 130940
Total WAP sticky entries are 0
Total number of SIPCID sticky entries is 0
So, why don't I see anything in the L4 sticky entries?
Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
Your thoughts and suggestions are highly appreciated.
John.

Hi Gilles
Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
"Cisco Content Services Switch
Content Load-Balancing
Configuration Guide
Software Version 8.20
November 2006
page 11-14
Configuring SSL-Layer 4 Fallback
Insertion of the Layer 4 hash value into the sticky table occurs when more than
three frames are transmitted in either direction (client-to-server, server-to-client)
or if SSL version 2 is in use on the network. If either condition occurs, the CSS
inserts the Layer 4 hash value into the sticky table, overriding the further use of
the SSL version 3 session ID."

Disable ssl version2 on CSS

Similar Messages

Maybe you are looking for