Lenovo Software Helpdesk

            excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

            Starting with webNetwork (now Unified Workspace) 6.2.1.186 there are 4 config files that are available to use to turn on / off various protocols and ciphers.

            The following configuration is recommended, up to release 6.4.4.x of UW.

            /stoneware/config/excludeProtocols
            SSLv3
            SSL
            SSLv2
            SSLv2Hello

            /stoneware/config/includeProtocols - delete this file 

            /stoneware/config/allowCiphers - delete this file

            /stoneware/config/denyCiphers 
            TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
            TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
            TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


            As of UW release 6.4.4.x, the following configuration is recommended

            /stoneware/config/excludeProtocols
            TLSv1
            SSLv3
            SSL
            SSLv2
            SSLv2Hello

            /stoneware/config/includeProtocols - leave this file empty

            /stoneware/config/allowCiphers
            TLS_DHE_RSA.*
            TLS_ECDHE.*

            /stoneware/config/denyCiphers 
            .*NULL.*
            .*RC4.*
            .*MD5.*
            .*DES.*
            .*DSS.*
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
            TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
            TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


            Any changes to these files requires webNetwork to be shut down and started back up.



            If you want to validate the protocols being used, you can use a program like NMAP to query the webNetwork server.  Using the command line : nmap --script ssl-enum-ciphers -p 443 mysystem.example-cloud.com  will list something like :

            Starting Nmap 6.47 ( http://nmap.org ) at 2016-06-17 11:36 Eastern Daylight Time
            Nmap scan report for mysystem.example-cloud.com (172.16.1.1)
            Host is up (0.0019s latency).

            PORT    STATE SERVICE
            443/tcp open  https

            | ssl-enum-ciphers: 
            |   TLSv1.0: 
            |     ciphers: 
            |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
            |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
            |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
            |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
            |     compressors: 
            |       NULL
            |   TLSv1.1: 
            |     ciphers: 
            |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
            |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
            |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
            |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
            |     compressors: 
            |       NULL
            |   TLSv1.2: 
            |     ciphers: 
            |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
            |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
            |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
            |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
            |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
            |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
            |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
            |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
            |     compressors: 
            |       NULL
            |_  least strength: strong

            You can also download a nice 3rd party utility, to test for supported protocols, from the following URL:

            3rd Party SSL testing sites:

            You should be able to get a score of at least an A- with webNetwork 6.3.0 code.


            Updated: 12 Jan 2017 08:00 AM
            Helpful?  
            Help us to make this article better
            0 1