Subscribe
Accepted Solution

DFM SSL weak ciphers

I just had a security scan and was dinged on SSL ciphers in DFM that were less than 128-bit.  So, I know that I can invoke openssl on my DFM server and change this, but is it OK to do so?  I want to invoke the following to shut off all ciphers below 128-bit:

openssl ciphers -v SSLv3+MEDIUM+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH

Or, do we have a better proceedure in place?  Thanks.

-todd

Re: DFM SSL weak ciphers

Ok, I got it it figured out:

1) edit the ../DFM/conf/http.conf.tmpl file and add the following two lines that are indicated in bold, which will only allow encryption cyphers of 256:

...

@@HTTPS_BEGIN@@

...

          <VirtualHost_default_:@@HTTPS_PORT@@>>

                         AddType                    application/x-x509-ca-cert          .crt

                         AddType                    application/x-pkcs7-crl  .crt

                         SSLProtocol -all +SSLv3

                         SSLCipherSuite SSLv3:+HIGH:-MEDIUM:-LOW:-EXP

                         <IfModule mod_ssl.c>

...

2)  stop and restart http service:   dfm service stop http; dfm service start http

Re: DFM SSL weak ciphers

how do i configure if i want to use cipher strength LOW which is below 128 bit in DFM server ?