Description

Several vulnerabilities have been reported with the use of the SSL version 3
protocol in web traffic where the same byte stream (cookie) is repeated many
times and thus can be used for statistical analysis, see CVE-2013-2566 and
CVE-2014-3566.


The successor of the SSL version 3 protocol, TLS version 1.0, only includes minor
enhancements and the use of this protocol version is also not recommended.

Resolution / Workaround

Hotfix HFBM-0055 adds more detailed configuration options for the SSL/TLS protocol
used in the BoKS Manager GUI, httpsrv. Specifically, this hotfix makes it
possible to only allow a specific version of the SSL/TLS protocol.

The hotfix is available for download from the HelpSystems Community Portal.

The hotfix installation by default configures httpsrv to only allow
protocol version TLSv1.1 and cipher AES128-SHA.

The default configuration can be modified using the $BOKS_etc/ENV variables
HTTPSRV_TLSVER and HTTPSRV_CIPHERS.

HTTPSRV_TLSVER - Default 1.1. Valid values, 1.0, 1.1, 1.2.
HTTPSRV_CIPHERS - Default AES128-SHA. Examples of cipher specifications can be
found at https://www.openssl.org/docs/apps/ciphers.html.
Note1: Valid cipher suites depend on the TLS protocol version
selected.
Note2: The server certificate in the BoKS Master host virtual card
uses an RSA key-pair, thus only cipher suites for RSA
certificates can be used.

The default configuration requires use of a web browser that supports TLS
protocol version 1.1 to access the BoKS Manager GUI.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018