https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/DFM-SSL-weak-ciphers/m-p/54404#M11316 <HTML><HEAD></HEAD><BODY><P>I just had a security scan and was dinged on SSL ciphers in DFM that were less than 128-bit.&nbsp; So, I know that I can invoke openssl on my DFM server and change this, but is it OK to do so?&nbsp; I want to invoke the following to shut off all ciphers below 128-bit:</P><P></P><P><SPAN style="font-family: courier new,courier;">openssl ciphers -v SSLv3+MEDIUM+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH</SPAN></P><P></P><P>Or, do we have a better proceedure in place?&nbsp; Thanks.</P><P></P><P>-todd</P></BODY></HTML> Thu, 05 Jun 2025 06:28:02 GMT kofchur 2025-06-05T06:28:02Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/DFM-SSL-weak-ciphers/m-p/54404#M11316 <HTML><HEAD></HEAD><BODY><P>I just had a security scan and was dinged on SSL ciphers in DFM that were less than 128-bit.&nbsp; So, I know that I can invoke openssl on my DFM server and change this, but is it OK to do so?&nbsp; I want to invoke the following to shut off all ciphers below 128-bit:</P><P></P><P><SPAN style="font-family: courier new,courier;">openssl ciphers -v SSLv3+MEDIUM+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH</SPAN></P><P></P><P>Or, do we have a better proceedure in place?&nbsp; Thanks.</P><P></P><P>-todd</P></BODY></HTML> Thu, 05 Jun 2025 06:28:02 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/DFM-SSL-weak-ciphers/m-p/54404#M11316 kofchur 2025-06-05T06:28:02Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/DFM-SSL-weak-ciphers/m-p/54409#M11317 <HTML><HEAD></HEAD><BODY><P>Ok, I got it it figured out:</P><P></P><P>1) edit the ../DFM/conf/http.conf.tmpl file and add the following two lines that are indicated in bold, which will only allow encryption cyphers of 256:</P><P></P><P>...</P><P>@@HTTPS_BEGIN@@</P><P>...</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;VirtualHost_default_:@@HTTPS_PORT@@&gt;&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AddType&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; application/x-x509-ca-cert&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .crt</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AddType&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; application/x-pkcs7-crl&nbsp; .crt</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>SSLProtocol -all +SSLv3</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSLCipherSuite SSLv3:+HIGH:-MEDIUM:-LOW:-EXP</STRONG></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;IfModule mod_ssl.c&gt;</P><P>...</P><P></P><P>2)&nbsp; stop and restart http service:&nbsp;&nbsp; dfm service stop http; dfm service start http</P></BODY></HTML> Tue, 22 May 2012 19:36:59 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/DFM-SSL-weak-ciphers/m-p/54409#M11317 kofchur 2012-05-22T19:36:59Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/DFM-SSL-weak-ciphers/m-p/54417#M11318 <HTML><HEAD></HEAD><BODY><P>how do i configure if i want to use cipher strength LOW which is below 128 bit in DFM server ?</P></BODY></HTML> Tue, 26 Feb 2013 15:53:33 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/DFM-SSL-weak-ciphers/m-p/54417#M11318 arjunan 2013-02-26T15:53:33Z