We are running Fisheye 4.6.1 and I try to disable weak ciper suites.
My config.xml has the following section :
<web-server site-url="https://crucible.xxxxxxxx.dom">
<http bind="0.0.0.0:8060" proxy-port="443" proxy-scheme="https" proxy-host="crucible.xxxxxxxxx.dom"/>
<ssl bind=":6443" keystore="/srv/crucible/keystoreneu.kst" keystore-password="xxxxxxxxxxx" truststore="/srv/crucible/keystoreneu.kst" truststore-password="xxxxxxxxx">
<excludeProtocols>
<protocol>SSLv3</protocol>
<protocol>TLSv1</protocol>
<protocol>TLSv1.1</protocol>
</excludeProtocols>
<excludeCipherSuites>
<cipherSuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
<cipherSuite>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
<cipherSuite>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
</excludeCipherSuites>
<proxy-info proxy-host="crucible.xxxxxxxx.dom" proxy-port="443" proxy-scheme="https"/>
</ssl>
</web-server>
A sslscan shows this :
sslscan localhost:6443
Version: 2.0.10
OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.16.1
Connected to ::1
Testing SSL server localhost on port 6443 using SNI name localhost
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 disabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits TLS_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.2 112 bits TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
So not all excluded cipher suites work.
Kind regards
Matthias