Disabling SSLv3 for SFCB

  • 7024482
  • 11-Mar-2020
  • 26-May-2021

Environment


Open Enterprise Server 2018 (OES 2018) Linux
Open Enterprise Server 2018 (OES 2018) SP1 Linux
Open Enterprise Server 2018 (OES 2018) SP2 Linux

Situation

A scan showed that SFCB was using SSLv3 and this needs to be disabled.
The scan specifically showed SSLv3 needs to be disabled on port 5989.  Researching this port shows that on an OES server that port is assigned to SFCB.


Resolution

On OES2018 and newer, TLSv1.2 is supported so it's possible to disable SSLv3, this is not possible on earlier systems such as OES2015Sp1 or the OES11 servers.

On OES2018 and newer,  these lines in /etc/sfcb/sfcb.conf make the required change:
sslCiphers: TLSv1.2:!ADH:!LOW:!EXP:!MD5:@STRENGTH
sslNoSSLv3: true
and set them to true
Change the lines and restart sfcb or restart the server.

OES 2018 SP2 after update 4 has an additional config file located in /etc/sfcb.  Engineering added a sfcb.cfg.rpmnew to replace sfcb.cfg after making the needed changes to update the configuration
Make a backup of the current sfcb.cfg file
Then edit sfcb.cfg.rpmnew 
find the ciphers line and change it to:
sslCiphers: TLSv1.2:!ADH:!LOW:!EXP:!MD5:@STRENGTH

In the following paragraph locate the following three lines, unremark them:

sslNoSSLv3: false
sslNoTLSv1: false
sslNoTLSv1_1: false

and set them to true:

sslNoSSLv3: true
sslNoTLSv1: true
sslNoTLSv1_1: true

Save the file, then rename the new config file to replace the old config file:
mv sfcb.cfg.rpmnew sfcb.cfg

Run the command to restart sfcb:
systemctl restart sfcbd