excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file Legacy Configuration

excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file Legacy Configuration

As of release 6.5.8.28, UW now supports TLS version 1.3.  For customers running UW 6.5.8.28, and higher, we recommend the following configuration.

For customers running older releases of UW, the following configurations are still applicable.


Starting with webNetwork (now Unified Workspace) 6.2.1.186 there are 4 config files that are available to use to turn on / off various protocols and ciphers.

The following configuration is recommended, up to release 6.4.4.x of UW.

/stoneware/config/excludeProtocols
SSLv3
SSL
SSLv2
SSLv2Hello

/stoneware/config/includeProtocols - delete this file 

/stoneware/config/allowCiphers - delete this file

/stoneware/config/denyCiphers 
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


As of UW release 6.4.4.x, the following configuration is recommended

/stoneware/config/excludeProtocols
TLSv1
SSLv3
SSL
SSLv2
SSLv2Hello

/stoneware/config/includeProtocols - leave this file empty

/stoneware/config/allowCiphers
TLS_DHE_RSA.*
TLS_ECDHE.*

/stoneware/config/denyCiphers 
.*NULL.*
.*RC4.*
.*MD5.*
.*DES.*
.*DSS.*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


With the release of UW release 6.4.5.13, TLS 1.2 is supported.  The following config is therefore recommended to disable TLS 1.1.

/stoneware/config/excludeProtocols
TLSv1
TLSv1.1
SSLv3
SSL
SSLv2
SSLv2Hello

/stoneware/config/includeProtocols - leave this file empty

/stoneware/config/allowCiphers
TLS_DHE_RSA.*
TLS_ECDHE.*

/stoneware/config/denyCiphers 
.*NULL.*
.*RC4.*
.*MD5.*
.*DES.*
.*DSS.*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384


Any changes to these files requires webNetwork to be shut down and started back up.



If you want to validate the protocols being used, you can use a program like NMAP to query the webNetwork server.  Using the command line : nmap --script ssl-enum-ciphers -p 443 mysystem.example-cloud.com  will list something like :

Starting Nmap 6.47 ( http://nmap.org/ ) at 2016-06-17 11:36 Eastern Daylight Time
Nmap scan report for mysystem.example-cloud.com (172.16.1.1)
Host is up (0.0019s latency).

PORT    STATE SERVICE
443/tcp open  https

| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors: 
|       NULL
|_  least strength: strong

You can also download a nice 3rd party utility, to test for supported protocols, from the following URL:

3rd Party SSL testing sites:

You should be able to get a score of at least an A- with webNetwork 6.3.0 code.


    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Change Reset Password Button Text

        Change the text of the "Reset Password" button on the UW Login Page How to change the text of the Reset Password button on the Login Page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants ...

      • Remove Reset Password Button From Login Page

        Remove the Reset Password Button from the Login Page How to remove the Reset Password button from the Unified Workspace login page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants Expand ...

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        As of January 31st 2024, Lenovo Unified Workspace (formerly Stoneware WebNetwork) is no longer supported. This means that we no longer provide licenses, downloads, updates, patches, or technical assistance for this product. If you have any questions ...

      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...

      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...

      • Related Articles

      • excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

        As of UW release 6.5.8.28, UW now supports TLS version 1.3.  The following configuration is recommended for systems running 6.5.8.28, and higher. (For older releases of UW, please see this article.) /stoneware/config/excludeProtocols TLSv1 TLSv1.1 # ...

      • 7.0 excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

        excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file The following configuration is recommended for systems running 7.0.0.63, and higher. (For older 6.5 releases of UW, please see this article.) ...

      • Debug CIFS file nodes

        ** Test with the Net use command ** From the main stoneware server go to a cmd prompt and type : ping server      Where server = the server name that holds the share. Make sure the ip number that comes back is the proper ip number then do a : ping -a ...

      • Change webNetwork License File

        To change/update your webNetwork license: Login to the Customer Portal, download your webNetwork license (license.sw). Copy the license file to each webNetwork server, replacing the existing file. The license file goes in the \stoneware\config ...

      • How to configure a webNetwork file service node ?

        To configure a native node:  * Remember that native is where the SWIFT services is running.  Host <blank>  Path :  Windows - c:\stoneware  Linux/Unix - /usr/stoneware  Netware - sys:stoneware  To configure a CIFS node:  Example Information:  Server ...