Terminal Service Plus

The best Citrix / RDS Alternative for Remote Desktop and Web Access
https://forum.tsplus.net/

Unable to disable certain ciphers; site validation issues

https://forum.tsplus.net/viewtopic.php?f=8&t=4542

Page 1 of 1

Unable to disable certain ciphers; site validation issues

Posted: Thu Nov 22, 2018 9:40 am
by cmarsura
Hi,
some questions about security.

a) If we submit to https://www.ssllabs.com/ssltest/ our site to validation, we get some warnings about following ciphers marked as WEAK:
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

As of current version of Java (8 Update 191) and Tsplus (11.60.10.28), we are unable to disable the ciphers from AdminTools > Security > SSL Ciphers Selection; the only way I found is to edit the c:\Program Files (x86)\FlexiCloud\Clients\webserver\tls.bin.

b) Is there a way to disable the TLSv1 and TLSv1.1 both?

c) If we submit to https://www.whynopadlock.com our site to validation, it complains that webserver is not forcing the use of SSL, but we have enabled it adding to C:\Program Files (x86)\FlexiCloud\Clients\webserver\settings.bin the following line:
disable_http_only=true
moreover if I go to our site with the http: prefix I am redirected automatically to the https:
Where is the problem?

Best.

Re: Unable to disable certain ciphers; site validation issues

Posted: Tue Dec 04, 2018 4:54 pm
by juwagn
Hello,

1.
the weak ciphers are listed in the lowest order for compatibility reasons.
If you want to get rid of these ciphers then follow please next FAQ
https://support.tsplus.net/en/support/s ... or-ciphers
Actually supported ciphers are listed inside web_log.txt
Remember, that ciphers reported by Java are sometimes not named exactly as ciphers reported by ssllabs, so compare and use those which are sounding similar if not named exactly same.
By following same FAQ you can disable separate protocol like TLSv1 etc..

2.
by disable_http_only=true some test suites like whynopadlock.com are making false positiv results when domain gets retrieved from server header since it is technically impossible to predict by which domain the page was called if you didn't put it forcibly in settings.bin.
If you followed the FAQ
https://www.terminalserviceplus.com/docs/enforce-https
you will notice there is second way how to enforce specific domain ssl forwarding rather than just ssl forwarding (that are two different entities)
disable_http_only="your_domain.com"
(restart html5 server after any such change)

Sincerely yours, JW.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited