Security hardening: policy console web interface to TLS 1.2 only

For security hardening, reconfigure the Policy Console to use only TLS 1.2 and not to allow SSL 3.0, TLS 1, or TLS 1.1.

Step-by-step guide

Edit the configuration file:

Edit the /etc/apache2/sites-available/mocana-map-ssl.conf file on the Policy Console (use "vi" or other text editor):

sudo vi /etc/apache2/sites-available/mocana-map-ssl.conf

Change this entry:

SSLProtocol +SSLv3 +TLSv1

To this:

SSLProtocol +TLSv1.2


Restart apache:

sudo service apache2 restart


Verify:

There are several ways to verify which protocol is used or allowed, including using Chrome web browser or command-line openssl. You may also want to verify that the legacy protocols are disallowed.

Using the Chrome web browser for verification (details may vary per browser)

  • Open the page to the console web interface, https://10.42.47.208/
  • Click on the lock icon to the left of the URL, or the "Not Secure" red triangle icon.
  • Click details.
  • There will be a block in the right pane showing either "Secure Connection" or "Obsolete Connection Settings" (exact text varies depending on web browser version)
  • Note that there may be a "Certificate Error" if a default self-signed certificate is in use, as there is no Certificate Authority that can be used to establish trust.
  • Ensure that "Secure Connection" shows the TLS 1.2 protocol in use.
    • The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).

Using command line OpenSSL tools to verify that TLS 1.2 establishes a connection (that is, cipher is negotiated) and legacy protocols are unable to establish a connection (that is, cipher fails to negotiate and shows zeros). The following examples show relevant extracts from the command responses:

$ openssl s_client -connect 10.42.47.208:443 -tls1_2
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    ... 
$ openssl s_client -connect 10.42.47.208:443 -tls1
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
$ openssl s_client -connect 10.42.47.208:443 -ssl3
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
$ openssl s_client -connect 10.42.47.208:443 -tls1_1
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000