AnsweredAssumed Answered

POODLE vulnerability, disabling SSL 3.0, SSL 2.0 and enforce TLSv1.2 - CASDM

Question asked by AshutoshMisra on Dec 24, 2014
Latest reply on Jul 29, 2015 by phinchey

We have followed the steps provided by CA Level 2 team as well as CA Support to disable SSL v3.0 on IIS and tomcat for CA Service Desk Manager r12.7 as well as r12.9.

 

However, we face few issues -

 

1. For IIS despite having disabled SSL v2.0 / SSL v3.0, disabling weak ciphers, tests on ssllabs.com still does not detect that SSL v3.0 is "disabled". Has anyone else faced similar problem? If yes, what was the solution?

 

For IIS Registry changes were made.

 

2. For tomcat, once the steps were performed, am unable to perform tests, on poodlebleed.com and similar sites, since it times out. Also post the changes to server.xml we have also run pdm_configure to redeploy tomcat, as advised by CA support but still CASDM over port 8443 remain inaccessible. When I revert the changes that were done to server.xml, sdm can be accessed over 8443 without any issues. Unsure what's causing the issue here.

 

To be noted that SDM remains accessible over port 8080 even after changes to sever.xml to disabled SSL 3.0@ !

 

Changes to server.xml -

 

Added  below to the snippet for 8443.

 

sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"

 

Thanks,

Ashutosh

Outcomes