This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable TLS1.0/1.1 for HTTP?

Trying to remediate vulnerabilities and we're tasked with disabling TLS1.0 and 1.1. I am able to disable it for LDAP, but we're getting dinged on the iMonitor/DHost HTTP services. Is there a way to disable TLS1.0 and 1.1 on the HTTP object? I couldn't find any documentation on it and none of the attributes seemed to indicate that they would manage that like the ldapSSLconfig attribute did on the LDAP side. I suppose the alternative would be to just disable the HTTPS port somehow (maybe by just not defining the http.server.tls-port option, although that may just assign one dynamically).

Tags:

Parents
  • 0
    Is there a reason you have that socket open at all? Leaving it enabled
    but blocked by the host-based firewall (which should block it by default,
    unless you have disabled it for some odd reason) should prevent any
    outsider from even seeing it see it as an option. You can still use it
    yourself by either opening certain boxes to it, or tunneling in over SSH,
    or accessing it from the box itself, but that's all assuming you even need
    it at all.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • 0 in reply to 
    ab;2483455 wrote:
    Is there a reason you have that socket open at all? Leaving it enabled
    but blocked by the host-based firewall (which should block it by default,
    unless you have disabled it for some odd reason) should prevent any
    outsider from even seeing it see it as an option. You can still use it
    yourself by either opening certain boxes to it, or tunneling in over SSH,
    or accessing it from the box itself, but that's all assuming you even need
    it at all.



    Thanks, ab. We have both 8028 and 8030 open as default so that we can pull up iMonitor when we need to. I did read in an article that another option is just to not load the httpstk modules as well. I'll have to check to see what our options are for host-based firewall configs. I guess what I'm reading from that, though, is that there doesn't seem to be a simple "select your supported TLS version(s)" for the HTTP stack.
Reply
  • 0 in reply to 
    ab;2483455 wrote:
    Is there a reason you have that socket open at all? Leaving it enabled
    but blocked by the host-based firewall (which should block it by default,
    unless you have disabled it for some odd reason) should prevent any
    outsider from even seeing it see it as an option. You can still use it
    yourself by either opening certain boxes to it, or tunneling in over SSH,
    or accessing it from the box itself, but that's all assuming you even need
    it at all.



    Thanks, ab. We have both 8028 and 8030 open as default so that we can pull up iMonitor when we need to. I did read in an article that another option is just to not load the httpstk modules as well. I'll have to check to see what our options are for host-based firewall configs. I guess what I'm reading from that, though, is that there doesn't seem to be a simple "select your supported TLS version(s)" for the HTTP stack.
Children