Modern security requirements often specify disabling certain SSL protocols or cipher families.  The ELM uses an Apache web server daemon for accessing the Management Console UI.  Citrix keeps the ELM deployment images up to date with modern requirements (requiring TLS 1.2, disabling SSLv3, disabling RC4 or MD5) as each new version is released.  However, an ELM keeps the security settings it was originally deployed with, because changing the SSL support during an upgrade could accidentally break imported certificates.  This document describes how to manually change the SSL support for Apache if your security requirements change.

Instructions

The Apache SSL configuration is contained in /etc/httpd/conf.d/ssl.conf.  This file can be edited manually while logged in as the root account.  The ELM contains VI, EMACS and Nano as text editors.  If you're not already familiar with EMACS and VI, we recommend Nano as the most user friendly editor.

1. Edit ssl.conf with a command like this:

   nano /etc/httpd/conf.d/ssl.conf

2. Scroll down to this section:

   ##
   ## SSL Virtual Host Context
   ##

3. Edit or add these three lines in that section as necessary:

   SSLProtocol TLSv1.2 -SSLv3
   SSLHonorCipherOrder On
   SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4

4. Save the file and reboot the ELM.

Beware that this may invalidate any imported certificates, so be careful.  It is worth creating a VM snapshot before performing this edit, so you can revert if it breaks your ability to login to the ELM.

Please see article CTX231374 for more information on how to view which ciphers are in use and which ones are available.