How to Disable TLS 1.0 and 1.1 in CSR Server
From Content Security Reporter 2.9.x
When you perform an audit scan of your CSR server, you see that TLS 1.0 and 1.1 are enabled, and port 9121 is in use.
CSR server allows connections with TLS 1.1, TLS 1.2, and TLS 1.3. By default, TLS 1.0 is disabled.
The problem is to disable TLS 1.0 and 1.1 on the CSR Server and ensure compliance.
To disable TLS 1.1, and ensure 1.0 is disabled, perform the steps below:
- Navigate to C:\Program Files\Skyhigh\Content Security Reporter\reporter\jboss\bin.
- Create a backup of java.custom.security, and place the backup in a safe location.
- Open java.custom.security in a text editor of your choice.
- Locate the following entry:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
NOTE: In this example, TLS 1.0 is already listed as disabled (TLSv1).
- Edit the entry to the following:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, \EC keySize < 224, 3DES_EDE_CBC, anon, NULL
- Restart the CSR service.