Description

This article applies to BoKS versions 6.7.0 and 6.7.1.

I. The OpenSSL version 1.0.1 used in BoKS 6.7 is no longer supported by the
OpenSSL project meaning no more security fixes will be released.

II. PCI DSS Compliance requires that SSL/TLS encrypted communication must use
TLS version 1.1 or later after 30 June 2018.

III. Compatibility issue with SASL bind over TLS to Active Directory.

Resolution / Workaround

To resolve these issues, apply hotfixes HFBM-0235 / HFBM-0236, available for download from the HelpSystems Community Portal.

Issues I and II are fixed by upgrading the OpenSSL version to 1.0.2n and by adding additional configuration options for SSL/TLS protocol version and cipher suites used in SSL/TLS communication. Issue III is fixed by updates to adjoin, adgroup and ldapsearch. See also special note for ldapsearch below.

The fix is split into two parts:

HFBM-0235 - Server Agent part
HFBM-0236 - Master/Replica part (this hotfix)

Note:
On Master/Replicas both hotfix HFBM-0235 and HFBM-0236 should be installed.


New configuration parameters for SSL/TLS servers on Master/Replica
------------------------------------------------------------------

Previously not all BoKS servers using SSL/TLS had the ability to specify an explicit TLS version. With this hotfix BoKS servers using SSL/TLS communication now have a common configuration framework for TLS version and cipher suite. Default values for these parameters can be specified with the BoKS ENV variables BOKSTLS_TLSVER and BOKSTLS_CIPHER_LIST.
If not set the default values for these variables are:

BOKSTLS_TLSVER=tls1_2
BOKSTLS_CIPHER_LIST=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA

The default values can be overridden by specifying an explicit value for a BoKS SSL/TLS server. Overriding the default value for a specific server is done by replacing the BOKSTLS part of the ENV variable name above with a string from the list below:

AUTOREGISTERD - Auto-registration server
BCCASD - Administration server
CSSPD - BoKS Desktop authentication server

HTTPSRV - Old administration GUI

For example overriding the default TLS version for the auto-registration server

AUTOREGISTERD_TLSVER=tls1_1

It is also possible to specify multiple versions separated by comma.

BCCASD_TLSVER=tls1_1,tls1_2

When specifying multiple cipher suites they should be separated by colon.

Notes for specific services
---------------------------

boks_autoregisterd - Auto-registration
With the hotfix installed and using default configuration only Server Agents of version 7.1 or later, or Server Agents with hotfix HFBM-0235 installed can use auto-registration. If compatibility with older unpatched Server Agents is needed the following configuration parameters can be added to the BoKS ENV file on the Master and failover Master.

AUTOREGISTERD_TLSVER=ssl3,tls1_2
AUTOREGISTERD_CIPHER_LIST=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:AES256-SHA

httpsrv - Old administration GUI
Before this hotfix it was possible to configure the list of cipher suites using the ENV variable HTTPSRV_CIPHERS. This configuration variable is still valid and takes precedence over the new configuration variable HTTPSRV_CIPHER_LIST. To avoid confusion make sure that only one of the httpsrv configuration variables are used.

bccasd - FoxT Control Center / Web Services Interface
TLS protocol version 1.2, which is the default after installing this hotfix, does not work with the original version of FoxT Control Center (FCC) and the Web Services Interface (WSI). There are two alternative ways to fix this:
Alt 1. Change the TLS protocol version used by bccasd to TLS 1.0 by adding the BoKS ENV variable BCCASD_TLSVER=tls1 on the Master.
Alt 2. Upgrade the Java runtime used by FoxT Control Center and/or Web Services Interface, see Knowledge Base article:

#10534 - FoxT Control Center.
#10535 - Web Services Interface.

ldapsearch - the ldapsearch command is used by the adsync script
To use SASL bind over TLS to Active Directory the following configuration variable must be added to the $BOKS_etc/ldap.conf file on the Master:

SASL_SECPROPS minssf=56,maxssf=128

see also adsync.cfg(5)

emsldap - Forwarding events from BoKS to LDAP

crldownload_ldap - Download CA CRLs via ldap/ldaps
These programs use the generic SSL/TLS setup built into the OpenLDAP library and can be configured via the $BOKS_etc/ldap.conf file. The TLS protocol version cannot be explicitly specified, but it is possible to force use of TLS 1.2 protocol by only allowing TLS 1.2 specific ciphers in the TLS_CIPHER_SUITE list in the $BOKS_etc/ldap.conf file.

crldownload_https
BoKS ENV variables CRLDOWNLOAD_HTTPS_TLSVER and CRLDOWNLOAD_HTTPS_CIPHER_LIST can be used to configure protocol and cipher. The default global settings from BOKSTLS_TLSVER and BOKSTLS_CIPHER_LIST are NOT used for this service. Also note that only one protocol version can be specified.

Notes for specific SSL/TLS client programs
------------------------------------------

boks_autoregister
With this hotfix by default only TLS 1.2 is supported by the boks_autoregister program. This requires a BoKS 7.1 Master or BoKS 6.7 Master with hotfix HFBM-0236 installed. To work with BoKS Master 7.0 or BoKS 6.7 Master without hotfix HFBM-0236 the boks_autoregister program must be executed in compatibility mode. This is achieved by adding the configuration option COMPAT=1, see boks_autoregister(1).

boks_safeword
The configuration option SSL_PROTO in $BOKS_etc/safeword.cfg now also accepts the value TLSv1_2.

ldapauth
The ldapauth program uses the generic SSL/TLS setup built into the OpenLDAP library and can be configured via the $BOKS_etc/ldap.conf file. The TLS protocol version cannot be explicitly specified, but it is possible to force use of TLS 1.2 protocol by only allowing TLS 1.2 specific ciphers in the TLS_CIPHER_SUITE list in the $BOKS_etc/ldap.conf file.

boks_sslproxy
Proxy service for telnet over SSL/TLS used by the BoKS Desktop product. The TLS protocol version and cipher suites used can be configured using the ENV variables SSLPROXY_TLSVER, SSLPROXT_CIPHER_LIST respectively. If this service is not used it can also be uninstalled with the command

BoKS # proxyuninst


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018