What is the correct way to disable SSLv3 on Orbix 6.3 services? I am new to Orbix and I was recently given an environment to support on one of our servers. My task is to disable SSLv3 which is still supported on the environment.
Per the documentation on the linkbelow, I have updated the .cfg files within our domains to include the following lines:
policies:iiop_tls:mechanism_policy:protocol_version = ["TLS_V1_2"]; policies:https:mechanism_policy:protocol_version = ["TLS_V1_2"];
Our environment consists of two configuration domains.
When I make the changes to the first domain, for the config_rep, the changes work and SSLv3 is disabled as expected.
When I make the changes to the second domain, for the locator, node_daemon and naming services. SSLv3 is still enabled.
Verified with the command line: openssl s_client -connect localhost:3077 -ssl3 reports back with Secure Renegotiation IS supported
The .cfg domain files are nearly identical.
I was eventually able to figure this out.
It turns out that Orbix can have configurations that are already loaded into their database. In my example, one of the configuration files wasn't being loaded. If the configuration file isn't being used. you can update the TLS value of your Orbix service with the following Orbix command:
./itadmin variable modify -type string -value "1.1" policies:iiop:server_version_policy
Once this command is entered, it will force your Orbix service to TLS 1.1 and higher