sk147272 currently is the suggested procedure to remove vulnerable ssl ciphers and protocols. The sk120774 and sk111307 does a reboot instead of the final steps, sk163542 only shows the current status and sk126613 is using the cipher tool that only works with MultiPortal enabled. I have summed up information from several source to get it discussed here:
1. First, see the active ciphers:
more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5
2. So we know how to ask for TLS versions:
cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1
TLSv1.2
TLSv1.3
After a backup of the original template file:
[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
3. Assign the 'write' permission to the current /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# chmod u+w /web/templates/httpd-ssl.conf.templ
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ
4. Edit the current /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
5. In the section, change:
from:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5
To:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
(from sk147272 - used in the following parts): SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
(from sk120774): SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1
Notes:
see the active ciphers:
more /web/templates/httpd-ssl.conf.templ | grep SSLCipherSuite
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
[Expert@HostName:0]# cpopenssl ciphers -v 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1' | grep -i tls | awk '{print $2}' | sort --unique
TLSv1.2
TLSv1.3
Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# chmod -v u-w /web/templates/httpd-ssl.conf.templ
9. Update the current configuration of the HTTPD daemon based on the modified configuration template:
[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
10. Restart the HTTPD daemon:
[Expert@HostName:0]# tellpm process:httpd2
[Expert@HostName:0]# tellpm process:httpd2 t
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist