Another day, another vulnerability. Feel like we are swimming against the tide.
Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
I have updated the OS on our TMS server (in fact on all our Windows servers), to disable SSLv3 and switch off some insecure Ciphers. There are many ways to do this as it involves Registry edits and Policy objects, but one of the simplest I found was to use a tool from NARTAC Software (https://www.nartac.com/Products/IISCrypto/Default.aspx). After ensuring that SSLv3 is off, running a scan (from https://www.ssllabs.com/ssltest/index.html) showed that all was good (well good enough), and I see no odd side effects at this point in time. I guess that if you still have clients running XP with IE6 that need to connect to TMS, you might have some problems, but if you still run XP and IE6, you have real problems ;)
Our VCS have the firewalls in place to limit management from only our internal network, but as a test I opened one up and scanned using the SSL Labs tool above. All is good and SSLv3 is already disabled.
IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation. However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is: Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.