Disable SSLv3 and Enable TLS 1.2?

Travis_Truttschel · May 13, 2014, 1:40am

Hello All,

I have a openfire 3.9.x installation on an ubuntu server, I am running openssl version 1.0.1c, and ubuntu server version 12.10. The server is running Oracle 7 JDK for its java runtime enviroment.

I have a CA Signed certificate via PositiveSSL that is installed in Openfire, and working properly.

However, my question is how to disable SSLv3, and enable TLS 1.2?

I have been using a server scanner, which shows that my server has SSLv3 enabled, and TLS 1.1 and 1.2 disabled.

Along with this, but not to get too far off topic, I have noticed three insecure cyphers are currently enabled as well, and would like to disable them. The three in question are:

ECDHE-RSA-DES-CBC3-SHA (0xc012)

EDH-RSA-DES-CBC3-SHA (0x16)

DES-CBC3-SHA (0xa)

I look foreward to hearing from you, if you require any further information, just ask.

Travis_Truttschel · May 13, 2014, 3:22pm

Just in case anyone else ever faces this issue.

Did the following

Install the latest openssl build just for safety sake.

sudo apt-get purge openssl

sudo apt-get clean

wget (long openssl tar.gz url for 1.0.1g)

tar -zxvf (openssl file)

./config no-sslv2 no-sslv3 (so that we get rid of the old versions from the getgo)

make

checkinstall (because checkinstall does a nice job of making a easy .deb package)

(then update the path to use the new ssl version, you can go to openssl for a better tutorial)

After this, I then downloaded the openfire source, and compiled it on JDK Oracle 7 with OpenSSL version 1.0.1g

The old cyphers are gone, and SSLv2 and SSLv3 are disabled because openssl no longer has them.

**So in the end, the easiest way was to just compile it all from source.
**

LG1 · May 13, 2014, 6:45pm

No idea how this works as the JRE does not use OpenSSL.