excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file Legacy Configuration

excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file Legacy Configuration

As of release 6.5.8.28, UW now supports TLS version 1.3.  For customers running UW 6.5.8.28, and higher, we recommend the following configuration.

For customers running older releases of UW, the following configurations are still applicable.


Starting with webNetwork (now Unified Workspace) 6.2.1.186 there are 4 config files that are available to use to turn on / off various protocols and ciphers.

The following configuration is recommended, up to release 6.4.4.x of UW.

/stoneware/config/excludeProtocols
SSLv3
SSL
SSLv2
SSLv2Hello

/stoneware/config/includeProtocols - delete this file 

/stoneware/config/allowCiphers - delete this file

/stoneware/config/denyCiphers 
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


As of UW release 6.4.4.x, the following configuration is recommended

/stoneware/config/excludeProtocols
TLSv1
SSLv3
SSL
SSLv2
SSLv2Hello

/stoneware/config/includeProtocols - leave this file empty

/stoneware/config/allowCiphers
TLS_DHE_RSA.*
TLS_ECDHE.*

/stoneware/config/denyCiphers 
.*NULL.*
.*RC4.*
.*MD5.*
.*DES.*
.*DSS.*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


With the release of UW release 6.4.5.13, TLS 1.2 is supported.  The following config is therefore recommended to disable TLS 1.1.

/stoneware/config/excludeProtocols
TLSv1
TLSv1.1
SSLv3
SSL
SSLv2
SSLv2Hello

/stoneware/config/includeProtocols - leave this file empty

/stoneware/config/allowCiphers
TLS_DHE_RSA.*
TLS_ECDHE.*

/stoneware/config/denyCiphers 
.*NULL.*
.*RC4.*
.*MD5.*
.*DES.*
.*DSS.*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


Any changes to these files requires webNetwork to be shut down and started back up.



If you want to validate the protocols being used, you can use a program like NMAP to query the webNetwork server.  Using the command line : nmap --script ssl-enum-ciphers -p 443 mysystem.example-cloud.com  will list something like :

Starting Nmap 6.47 ( http://nmap.org/ ) at 2016-06-17 11:36 Eastern Daylight Time
Nmap scan report for mysystem.example-cloud.com (172.16.1.1)
Host is up (0.0019s latency).

PORT    STATE SERVICE
443/tcp open  https

| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors: 
|       NULL
|_  least strength: strong

You can also download a nice 3rd party utility, to test for supported protocols, from the following URL:

3rd Party SSL testing sites:

You should be able to get a score of at least an A- with webNetwork 6.3.0 code.


    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • LanSchool Documentation Guides

        LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...

      • Lenovo Unified Workspace 7.0.1.41 Released

        Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...

      • Related Articles

      • excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

        As of UW release 6.5.8.28, UW now supports TLS version 1.3.  The following configuration is recommended for systems running 6.5.8.28, and higher. (For older releases of UW, please see this article.) /stoneware/config/excludeProtocols TLSv1 TLSv1.1 # ...

      • 7.0 excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

        excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file The following configuration is recommended for systems running 7.0.0.63, and higher. (For older 6.5 releases of UW, please see this article.) ...

      • Debug CIFS file nodes

        ** Test with the Net use command ** From the main stoneware server go to a cmd prompt and type : ping server      Where server = the server name that holds the share. Make sure the ip number that comes back is the proper ip number then do a : ping -a ...

      • Change webNetwork License File

        To change/update your webNetwork license: Login to the Customer Portal, download your webNetwork license (license.sw). Copy the license file to each webNetwork server, replacing the existing file. The license file goes in the \stoneware\config ...

      • How to configure a webNetwork file service node ?

        To configure a native node:  * Remember that native is where the SWIFT services is running.  Host <blank>  Path :  Windows - c:\stoneware  Linux/Unix - /usr/stoneware  Netware - sys:stoneware  To configure a CIFS node:  Example Information:  Server ...