Disabling Weak Ciphers and SSL v2 on WCS

pablo1711 · ‎04-17-2008

Hi,

We are running a WCS appliance (Upgraded from WLSE) v4.2.62.0

This is running a Linux Distro and I have found refernce to a file called ssl.conf from within httpd.conf for the SSL settings.

Within this file is the Cipher setup string which include LOW and SSLv2. I have tried removing this reference, as well as adding a ! before each statement (apparently killing this option).

When I reboot the device I check the SSL.CONF file and it remains as it. I then scan the appliance and get a report back about weak ciphers and when I next check the SSL.CONF file it have "magically" reverted back to the original file.

So does anyone know HOW I can modify this? I have tried making the file read-only which doesn't help.

Regards

Paul

ericgarnel · ‎04-21-2008

You can place the WCS appliance behind an apache server and use the apache proxy function to set the ssl cipher level. I know this is a round-about way of doing it, but it provides for more control, security and customization

http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

http://www.google.com/search?q=apache+proxy+setup&sourceid=navclient-ff&ie=UTF-8&rlz=1B3GGGL_enUS203US203&aq=t

pablo1711 · ‎04-21-2008

Well I have partially got around this now.

Inside the relevant folders there is a backup folder. By copying the changes into the file in this folder it seems to work. So from what I can fathom upon boot and service start the files are copied from the backup folder and these are the ones used for the service.

The only problem is I now need MOD_REWRITE to disable Track/Trace but the WCS didn't have this compiled.

I wish Cisco would harden their servers (well appliances really) more or at least give the administrators a way to lock these down