If you are running systems that maintain SSL 3.0 compatibility, you are advised to define a Signaling Cipher Suite Value (SCSV) to prevent unintended protocol downgrades between clients and servers when both parties support a higher version of the protocol.
Disabling fallback to lower protocols is different from operating system to operating system. Here are some guidelines for the most frequently used webservers:
Internet Information Services (IIS)
Microsoft Windows NT Server stores protocol information in the HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols registry key. This key contains subkeys for PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0. You can disable any of these protocols by creating a new DWORD value with the “00 00 00 00” value in the server subkey corresponding to the protocol to be disabled. More information about configuring crypto on IIS is available here.
Apache HTTPD Server
Include the following line in the server configuration file: SSLProtocol All -SSLv2 -SSLv3. Restart the service with sudo service apache2 restart (If running Linux).
Nginx server
Include the following line in the Nginx configuration file: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Restart the service with sudo service nginx restart (if running Linux).
Postfix SMTP
Add or change the smtpd_tls_mandatory_protocols directive like this:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Restart Postfix with sudo postfix restart for the changes to take effect.
HAProxy Server
Edit the /etc/haproxy.cfg file and find your bind line. Append no-sslv3 directive like in the example below:
bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3
More info on configuring webservers under Linux is available here.
JBoss Web
Configure the https connectors to have the sslProtocol attribute set to "TLS" in the configuration file:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
Tomcat
The SSL protocol to be used can be configured via $TOMCAT_HOME/conf/server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>
Tomcat APR
Similar to Tomcat, the protocol to be used is defined in the $TOMCAT_HOME/conf/server.xml file:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLProtocol="TLSv1"
SSLCertificateFile="${catalina.base}/conf/localhost.crt"
SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />
For more information on mitigating unwanted protocol downgrades, please refer to the TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks draft.
Read More on Applied Crypto Hardening!
tags
Shaun Donaldson is Editor-at-large at Bitdefender Enterprise. Shaun is also responsible for supporting relationships with strategic alliance partners and large enterprise customers, and analyst relations. Before joining Bitdefender, Mr. Donaldson was involved in various technology alliances, enterprise sales and marketing positions within the IT security industry, including Trend Micro, Entrust, Bell Security Solutions and Third Brigade.
View all postsDon’t miss out on exclusive content and exciting announcements!