How to Disable TLS 1.0 and 1.1 in Variphy (Linux)

TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. While no longer the default security protocol in use by modern OSes, TLS 1.0 is still supported for backwards compatibility. Evolving regulatory requirements often provide corporations with the incentive to disable TLS 1.0 entirely. The following article will outline the steps to enable TLS 1.2 only, disabling TLS 1.0, 1.1.

Disable TLS 1.0 & 1.1 in the Variphy Linux OVA

1. Connect to your Variphy Insight OVA deployment via SSH.
   • The default credentials are:
     • username: variphyadmin
     • password: V@riphy!!

2. Stop the Variphy Service.

sudo service variphy stop

3. Navigate to the /opt/variphy/apps/insight/config directory.

cd /opt/variphy/apps/insight/config/

4. Archive the current https_customizations.xml file.

sudo mv -v /opt/variphy/apps/insight/config/https_customizations.xml /opt/variphy/apps/insight/config/https_customizations.xml.$(date +%N).original

5. Validate you now have a https_customizations.xml.*.original file in your directory by listing the files.

ls

Create a new https_customizations.xml enabling only TLS 1.2.

You may use the command line file editor of your choice, in the below example we will use vi.

6. Execute the following command to create new https_customizations.xml file in the /opt/variphy/apps/insight/config/ directory.

sudo vi https_customizations.xml

7. Paste the following content into the blank file.

<Connector 
  protocol="org.apache.coyote.http11.Http11NioProtocol" 
  maxThreads="200" 
  minSpareThreads="10" 
  enableLookups="false" 
  disableUploadTimeout="true" 
  asyncTimeout="900000" 
  connectionTimeout="20000" 
  acceptCount="100" 
  SSLEnabled="true" 
  scheme="https" 
  secure="true" 
  port="8443"
>
  <SSLHostConfig protocols="TLSv1.2">
    <Certificate 
      certificateKeystoreFile="keystore.pfx" 
      certificateKeystoreType="PKCS12" 
      certificateKeystorePassword="V@riphy!!"
    />
 </SSLHostConfig>
  </Connector>
 

8. Save the file by executing the following command.

:wq

9. Validate a new https_customizations.xml file was created by executing the list command.

ls

10. Start the variphy service.

sudo service variphy start

Give Variphy a minute to start back up and you have successfully disabled TLS 1.0 and 1.1.