Question & Answer
How to enable only TLS in caching proxy to avoid the POODLE attack.
Earlier, caching proxy did not have directives to enable only TLS (without enabling SSLV3).
Details about the 18.104.22.168_3 and 22.214.171.124_1 fixes which have the complete fix for POODLE vulnerability
List of directives introduced with their default values.
1. TLSOnly - Values can be set to On or Off. Default is on. When this is set to on, both SSLV2 and SSLV3 are blocked.
2. TLSVersion - Values can be set to "TLSV10" or "TLSV11" or "TLSV12" or "ALL". Default is ALL which would allow TLSV10,TLSV11 and TLSV12.
3. TLSV11CipherSpecs - This directive can be set based on the customer's requirement with the ciphers in the supported list of ciphers for proxy. The default value is 2F350A0504090201
4. TLSV12CipherSpecs - This directive can be set based on the customer's requirement with the ciphers in the supported list of ciphers for proxy. The default value is 9C9D3C3D2F350A3B02
Steps to enable the fix.
1. This fix would work only if the customer has a GSKit version of 126.96.36.199 or above.
2. Add the following directives in the config file "SSLEnable on", "TLSOnly on", "TLSV1Enable on". By default the TLSOnly is set to on. Hence if the customer intends to enable SSLV2 or SSLV3 along with TLS, the customer will have to set "TLSOnly off" and specify the "SSLVersion" directive (which is set to all by default).
3. The customer will have to specifically define a value for V3CipherSpecs directive without which the proxy might fail to start (when TLSOnly is on and TLSVersion is set either to ALL or TLSV10). This is because, when SSLV3 is used, V3CipherSpecs will be set to a default value based on the location (US or outside) by the GSKit. Since SSLV3 and TLSV10 use same cipher specs, this value will not be loaded by GSKit when SSLV3 is disabled (In case of "TLSOnly ON"). Hence there needs to be a value specified for V3CipherSpecs for TLSV10 to use when TLSOnly is set to on (which is the default case). TLSV11CipherSpecs and TLSV12CipherSpecs need to be defined according to the customer's requirement but if in case they haven't defined, default values would be used.
4. Please note that there is no way to disable a specific version of TLS. The version of TLS to be used can be set either to a specific version or ALL. Selective disabling isn't supported.(for example, there is not a provision in CP to disable only TLSV12 and use TLSV10 and TLSV11).
15 June 2018