Environment
Open Enterprise Server 2018 (OES 2018) Linux
Open Enterprise Server 2018 (OES 2018) SP1 Linux
Open Enterprise Server 2018 (OES 2018) SP2 Linux
Situation
A scan showed that SFCB was using SSLv3 and this needs to be disabled.
The scan specifically showed SSLv3 needs to be disabled on port 5989. Researching this port shows that on an OES server that port is assigned to SFCB.
Resolution
On OES2018 and newer, TLSv1.2 is supported so it's possible to disable SSLv3, this is not possible on earlier systems such as OES2015Sp1 or the OES11 servers.
On OES2018 and newer, these lines in /etc/sfcb/sfcb.conf make the required change:
sslCiphers: TLSv1.2:!ADH:!LOW:!EXP:!MD5:@STRENGTH
sslNoSSLv3: true
and set them to true
Change the lines and restart sfcb or restart the server.
OES 2018 SP2 after update 4 has an additional config file located in /etc/sfcb. Engineering added a sfcb.cfg.rpmnew to replace sfcb.cfg after making the needed changes to update the configuration
Make a backup of the current sfcb.cfg file
Then edit sfcb.cfg.rpmnew
find the ciphers line and change it to:
sslCiphers: TLSv1.2:!ADH:!LOW:!EXP:!MD5:@STRENGTH
In the following paragraph locate the following three lines, unremark them:
sslNoSSLv3: false
sslNoTLSv1: false
sslNoTLSv1_1: false
and set them to true:
sslNoSSLv3: true
sslNoTLSv1: true
sslNoTLSv1_1: true
Save the file, then rename the new config file to replace the old config file:
mv sfcb.cfg.rpmnew sfcb.cfg
Run the command to restart sfcb:
systemctl restart sfcbd