Hey Guys,
I have a couple servers that are getting flagged by by our network security team. How do I disable TLS 1.0 protocol within Solaris? The vulnerability is :
CVE-2011-3389
TLS-SSL Server Blockwise Chosen-Boundary Browser Weakness
It looks like Oracle says that this is a Java issue (JDK and JRE 7, 6 Update 27 and before, 5.0 Update 31 and before, 1.4.2_33 and before. JRockit R28.1.4 and before). Oracle says if your Java level is higher then the version above, your good. If not patch Java.
ref: Oracle Java Critical Patch Update - October 2011
If you don't need Java remove it.
TLS is used by a multiplicty (or can be) of services. Was this for your Apache2 server? What does your SSLProtocol line look like? You can turn off all but SSLv2 with:
SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
Cheers,
Keith Duffin