Description

Several vulnerabilities have been reported with the use of SSL version 3 protocol in web-traffic where the same byte stream (cookie) is repeated many times and thus can be used for statistical analysis, CVE-2013-2566, CVE-2014-3566.


The successor of SSL version 3 protocol, TLS version 1.0, only includes minor enhancements and the use of this protocol version is also not recommended.

 

An unrelated issue with BoKS Password Manager 6.7 is that it has an input limit of 8 characters in the login forms.


Resolution / Workaround

Download and install the hotfix HFBM-0091, available from the HelpSystems Community Portal.

Hotfix HFBM-0091 adds more detailed configuration options for the SSL/TLS protocol used in the BoKS Password Manager, boks_pwmd. Specifically this hotfix makes it possible to only allow a specific version of the SSL/TLS protocol. The hotfix installation by default configures boks_pwmd to only allow protocol version TLSv1.1 and cipher AES128-SHA.
The default configuration can be modified using the $BOKS_etc/ENV variables PWMD_TLSVER and PWMD_CIPHERS.

 

PWMD_TLSVERS - Default 1.1. Valid values, 1.0, 1.1, 1.2.
PWMD_CIPHERS - Default AES128-SHA. Examples of cipher specifications can be
found at https://www.openssl.org/docs/apps/ciphers.html.
Note1: Valid cipher suites depend on the TLS protocol version selected.
Note2: The server certificate in BoKS Master host virtual card
uses an RSA key-pair, thus only cipher suites for RSA certificates can be used.

 

The default configuration requires use of a web-browser that supports TLS protocol version 1.1 to access the BoKS Password Manager GUI.

 

The limit for passwords on the login forms is now 72 characters.

 

Note: This hotfix requires that Password Manager 6.7 is installed (EXTBM-PWM-1).

 

 


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 30, 2018