PORT STATE SERVICE VERSION
7272/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| compressors:
| NULL
|_ least strength: strong
To turn off SSL 3.0 on PMP
I did this and once the nmap is ran again the only protocol that shows is the TLSv1.0, which is better than having it respond to SSL 3.0.
PORT STATE SERVICE VERSIONReading through the other product forums I found that by adding TLSv1, TLSv1.1, TLSv1.2 to the SSLprotocols= line we get the other flavors of TLS turned on..
7272/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
I did this and get these results back.
PORT STATE SERVICE VERSION
7272/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| compressors:
| NULL
|_ least strength: strong
So by making these changes it fixes the default build of having SSL 3.0 ciphers (old demoted ciphers) available and just leaving the more secure TLS running. I will be turning the older TLS's off shortly.
Hope this helps others in their quest of a better security posture for your organizations.
Regards,
--Forrest