SSL / TLS Settings
The Stratusphere appliances are configured with older versions of SSL and TLS to allow for maximum compatibility with certain older Microsoft Windows based machines still stuck on legacy browsers such as Internet Explorer 10 and older. On older Microsoft Windows based machines, the CID Key also uses the existing Microsoft Internet Explorer downloading framework thus forcing Stratusphere to ship with older versions of SSL and TLS for maximum compatibility. If legacy versions of browsers are still in use, these settings need to stay in place. However, if none of the legacy browsers are in use and have all been phased out, these configuration settings can and should be hardened for a more secure posture. The configuration settings must be manually updated on the Hub and each Collector appliance installed.
Here are instructions on how to edit the configuration file on the Hub and each Collector to change these settings:
- On the Stratusphere Hub and each Collector appliance:
- Open a command line console to the appliance.
- Use User ID: ‘friend’ and enter your enhanced security STIG compliant password to log in.
- Use the command ‘su -‘ and enter your enhanced security STIG compliant password to switch to root.
- Use the vi command to edit the /etc/lwl/httpd.conf file.
³ > vi /etc/lwl/httpd.conf
- Use the ‘/’ key to type and search for “SSLProtocol” – this is case sensitive.
- When found, go into insert or append mode by entering either ‘i’ or ‘a’ key.
- Update the default line
- From “SSLProtocol All -SSLv2 -SSLv3”
- To “SSLProtocol TLSv1.2”
- This would enable only TLS v1.2 on the Stratusphere appliance.
- Use the Escape key and enter ‘:wq!’ to write and quit.
- Restart the Web Server to load the newly updated settings:
³ /etc/init.d/httpd restart
- Enter CTRL+D twice to log out of the console.