Solved: SWEET32 Issue, CVE-2016-2183. Check TLS1.0 and disable it in Configuration on Linux.
In this post, we will see how to solve the sweet32 issue i.e CVE-2016-2183 on a Linux host.
Let us see how to check for this issue and how to resolve it.
I. Check if TLS 1.0 is open.
[saket@ngelinux saket]$ openssl s_client -connect server2.ngelinux.com:443 -tls1 CONNECTED(00000003)saket depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1 verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain
2. Change the configuration and disable TLSv1 protocols.
[saket@ngelinux saket]$ vi /etc/httpd/conf/httpd.conf Earlier: #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Now: SSLProtocol all -SSLv3
3. Now check it again to see if its getting connected.
[saket@ngelinux saket]$ openssl s_client -connect server2.ngelinux.com:443 -tls1
Now the TLS1.0 is disabled and the vulnerability should be addressed by now.