powered by Jive Software

Disable SSLv3 and Enable TLS 1.2?

Hello All,

I have a openfire 3.9.x installation on an ubuntu server, I am running openssl version 1.0.1c, and ubuntu server version 12.10. The server is running Oracle 7 JDK for its java runtime enviroment.

I have a CA Signed certificate via PositiveSSL that is installed in Openfire, and working properly.

However, my question is how to disable SSLv3, and enable TLS 1.2?

I have been using a server scanner, which shows that my server has SSLv3 enabled, and TLS 1.1 and 1.2 disabled.

Along with this, but not to get too far off topic, I have noticed three insecure cyphers are currently enabled as well, and would like to disable them. The three in question are:

ECDHE-RSA-DES-CBC3-SHA (0xc012)

EDH-RSA-DES-CBC3-SHA (0x16)

DES-CBC3-SHA (0xa)

I look foreward to hearing from you, if you require any further information, just ask.

Just in case anyone else ever faces this issue.

Did the following

Install the latest openssl build just for safety sake.

sudo apt-get purge openssl

sudo apt-get clean

wget (long openssl tar.gz url for 1.0.1g)

tar -zxvf (openssl file)

./config no-sslv2 no-sslv3 (so that we get rid of the old versions from the getgo)

make

checkinstall (because checkinstall does a nice job of making a easy .deb package)

(then update the path to use the new ssl version, you can go to openssl for a better tutorial)

After this, I then downloaded the openfire source, and compiled it on JDK Oracle 7 with OpenSSL version 1.0.1g

The old cyphers are gone, and SSLv2 and SSLv3 are disabled because openssl no longer has them.

**So in the end, the easiest way was to just compile it all from source.
**

No idea how this works as the JRE does not use OpenSSL.

1 Like