Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to disable insecure protocols?
Operating Systems AIX How to disable insecure protocols? Post 302962436 by Kumar7997 on Monday 14th of December 2015 04:15:24 PM
Old 12-14-2015
How to disable insecure protocols?
Hello all,

planning to secure AIX sever by disabling insecure protocols/cipher suites; got the below requirements from secuirty team.


1.configure the server to disable support for DES and IDEA cipher suites

2.disable insecure TLS/SSL protocol support
Configure the server to require clients to use TLS version 1.2 using AEAD capable ciphers.

3.disable TLS/SSL support for RC4 ciphers

4.enable support for the below ciphers
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA



I was trying to understand the existing settings using "openssl" command options.

we do not have any web server on AIX servers(only application server and database). I believe application use its own java and SSL.
do we still need disable above settings on AIX ?

Please suggest, if anyone has already worked on these type of requirements.

How to confgiure above settings and how can we revert back if something goes wrong.


**I will try the recommended changes on lab server. its not going to affect any server/app.
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

network protocols

Which network protocol is used by UNIX systems to make remote file systems appear as if they are local? (2 Replies)
Discussion started by: OLLERTON
2 Replies

2. UNIX for Dummies Questions & Answers

Protocols

What protocol would be the best to use on a network with nt and unix servers and windows me clients? Can SMB protocol be used to implement large networks? What protocol can be used to make remote file systems appear as if they are local? Quite a few questions I know, any help would be... (1 Reply)
Discussion started by: jnash
1 Replies

3. UNIX for Advanced & Expert Users

More command insecure

The more command allows a user to invoke shell. If it is run using the sudo command this will give a user a possibility to run whatever he wants with root's privilegies. Does anybody know about a command with the same abilities that more but without escape to shell? (2 Replies)
Discussion started by: odashe
2 Replies

4. IP Networking

define IP protocols on network

what method would I use to determine which IP protocols network (0 Replies)
Discussion started by: mar mar
0 Replies

5. Cybersecurity

Netfilter conntracking for P2P protocols (edonkey, bittorent...)

Hi everyone, I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol. Thanks guys. (0 Replies)
Discussion started by: nekkro-kvlt
0 Replies

6. Shell Programming and Scripting

How to disable Enable/Disable Tab Key

Hi All, I have bash script, so what is sintax script in bash for Enable and Disable Tab Key. Thanks for your help.:( Thanks, Rico (1 Reply)
Discussion started by: carnegiex
1 Replies

7. IP Networking

what are L2,L3 protocols.

hello forum members, What are L2 and L3 Protocols and can u brief me a bit little ie to gain a basic knowledge. Thanks & Regards Rajkumar g (1 Reply)
Discussion started by: rajkumar_g
1 Replies

8. Red Hat

SSL/TLS renegotiation DoS -how to disable? Is it advisable to disable?

Hi all Expertise, I have following issue to solve, SSL / TLS Renegotiation DoS (low) 222.225.12.13 Ease of Exploitation Moderate Port 443/tcp Family Miscellaneous Following is the problem description:------------------ Description The remote service encrypts traffic using TLS / SSL and... (2 Replies)
Discussion started by: manalisharmabe
2 Replies

LEARN ABOUT OSX

ssl_ctx_new

SSL_CTX_new(3)							      OpenSSL							    SSL_CTX_new(3)

NAME

       SSL_CTX_new - create a new SSL_CTX object as framework for TLS/SSL enabled functions

SYNOPSIS

	#include <openssl/ssl.h>

	SSL_CTX *SSL_CTX_new(SSL_METHOD *method);

DESCRIPTION

       SSL_CTX_new() creates a new SSL_CTX object as framework to establish TLS/SSL enabled connections.

NOTES

       The SSL_CTX object uses method as connection method. The methods exist in a generic type (for client and server use), a server only type,
       and a client only type. method can be of the following types:

       SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
	   A TLS/SSL connection established with these methods will only understand the SSLv2 protocol. A client will send out SSLv2 client hello
	   messages and will also indicate that it only understand SSLv2. A server will only understand SSLv2 client hello messages.

       SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
	   A TLS/SSL connection established with these methods will only understand the SSLv3 protocol. A client will send out SSLv3 client hello
	   messages and will indicate that it only understands SSLv3. A server will only understand SSLv3 client hello messages. This especially
	   means, that it will not understand SSLv2 client hello messages which are widely used for compatibility reasons, see SSLv23_*_method().

       TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)
	   A TLS/SSL connection established with these methods will only understand the TLSv1 protocol. A client will send out TLSv1 client hello
	   messages and will indicate that it only understands TLSv1. A server will only understand TLSv1 client hello messages. This especially
	   means, that it will not understand SSLv2 client hello messages which are widely used for compatibility reasons, see SSLv23_*_method().
	   It will also not understand SSLv3 client hello messages.

       SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
	   A TLS/SSL connection established with these methods will understand the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2
	   client hello messages and will indicate that it also understands SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and TLSv1
	   client hello messages. This is the best choice when compatibility is a concern.

       The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the
       SSL_CTX_set_options() or SSL_set_options() functions. Using these options it is possible to choose e.g. SSLv23_server_method() and be able
       to negotiate with all possible clients, but to only allow newer protocols like SSLv3 or TLSv1.

       SSL_CTX_new() initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates, and the options to its
       default values.

RETURN VALUES

       The following return values can occur:

       NULL
	   The creation of a new SSL_CTX object failed. Check the error stack to find out the reason.

       Pointer to an SSL_CTX object
	   The return value points to an allocated SSL_CTX object.

SEE ALSO

       SSL_CTX_free(3), SSL_accept(3), ssl(3),	SSL_set_connect_state(3)

50								    2013-03-05							    SSL_CTX_new(3)
All times are GMT -4. The time now is 04:58 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy