For security hardening, reconfigure the Policy Console to use only TLS 1.2 and not to allow SSL 3.0, TLS 1, or TLS 1.1.
Edit the configuration file:
Edit the /etc/apache2/sites-available/mocana-map-ssl.conf file on the Policy Console (use "vi" or other text editor):
Change this entry:
There are several ways to verify which protocol is used or allowed, including using Chrome web browser or command-line openssl. You may also want to verify that the legacy protocols are disallowed.
Using the Chrome web browser for verification (details may vary per browser)
- Open the page to the console web interface,
- Click on the lock icon to the left of the URL, or the "Not Secure" red triangle icon.
- Click details.
- There will be a block in the right pane showing either "Secure Connection" or "Obsolete Connection Settings" (exact text varies depending on web browser version)
- Note that there may be a "Certificate Error" if a default self-signed certificate is in use, as there is no Certificate Authority that can be used to establish trust.
- Ensure that "Secure Connection" shows the TLS 1.2 protocol in use.
- The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).
Using command line OpenSSL tools to verify that TLS 1.2 establishes a connection (that is, cipher is negotiated) and legacy protocols are unable to establish a connection (that is, cipher fails to negotiate and shows zeros). The following examples show relevant extracts from the command responses: