Search Appliance

 

Thunderstone Search Appliance Manual

SSL Client Protocols

Which SSL protocols to allow for client HTTPS/SSL connections when walking or performing results authorization, i.e. for connections from the Search Appliance to remote https:// URLs. The default is to leave SSLv2 and SSLv3 disabled, as these are known to be vulnerable to attacks. Enabling SSLv3, if necessary, may also require a cipher change; see note under SSL Client Ciphers (here).

Sometimes a walker's connection fails at (or soon after) the SSL negotiation, possibly with the error message "Missing HTTP response line in reply from ...". This may be due to settings on the remote server that disallow certain SSL protocols - yet those protocols were enabled under SSL Client Protocols (e.g. for legacy reasons). In such cases, disabling various SSL protocols may enable the connection to succeed.

Note that support for some (e.g. vulnerable) protocols may end in some the Search Appliance versions, depending on the concurrent OpenSSL libs' support: e.g. SSLv2 is no longer supported in OpenSSL 1.1.0 and later.

Note: To change the server-side SSL protocols accepted by the Search Appliance - e.g. for admin, search, Dataload etc. - see HTTPS/SSL Protocols under System Wide Settings.


Copyright © Thunderstone Software     Last updated: Mar 21 2023