Stronger SSL Encryption can be achieved by doing the following:

• Upgrade your operating system
• Upgrade Java
• Upgrade Noodle
• Limit Protocols and Ciphers in server.xml
  • add protocols="TLSv1.2,TLSv1.3" to SSLHostConfig
• Add a CAA record to your DNS.

Test at ssllabs.

Make sure Noodle is not running if/while you uninstall old Java versions.
Noodle Service restart required.

Windows

• Updating Java can require a Windows restart to complete and be functional.
• intranet.bat may require an edit to use the new Java version
• Select a Java build.

Restarting Noodle service

• Microsoft
  • sc stop noodle
  • sc start noodle
• Linux like sysvinit/Upstart
  • service noodle restart
• Linux like Systemd
  • systemctl restart noodle
• Linux like launchd
  • launchctl unload /System/Library/LaunchDaemons/noodle.plist
  • launchctl load /System/Library/LaunchDaemons/noodle.plist
• Linux like SMF
  • svcadm restart noodle

1. Make sure the port you want to use is not already in use:
   • Linux-like systems
     • netstat -ln | grep ":80 "
   • Microsoft
     • netstat -na | findstr ":80"
2. Edit the connection port in server.xml (a text file) to an available port.
3. Remember to update the OS and network firewalls.
4. restart the Noodle service
5. Update the Noodle setting “System Tools > Settings > URL for Noodle”

Microsoft Windows runs http.sys on port 80 by default. Disable http.sys by running these 2 commands:

1. sc config http start= disabled
2. net stop http /y

Or if you want to use both you can bind them to different IPs:

1. http.sys IP (netsh http add iplisten ipaddress=192.168.0.101)
2. Noodle IP (Edit the connection address in server.xml to 192.168.0.100)

Default home directories:

• Linux-like
  • /opt/Noodle/
• Microsoft
  • C:\Program Files (x86)\Noodle\

List of most to least secure ways of connecting to the Noodle service:

1. On a network not (even indirectly) connected to the internet.
   • online features will necessarily not work;
     • email
     • upgrade button
     • unsplash
     • auto ssh
     • etc
2. On a network only indirectly connected to the internet.
3. On a public network with a firewall or NAT port forwarding blocking all but one port.
4. On a public network.

Public network security options:

• HTTPS
• DNS CAA records
• HTTP headers (content-security-policy, strict-transport-security, etc)
• White list
• Auto blacklisting enabled.
• "Session Security Level" to 4 (prevent session hijacking).
• IWA or 2 factor authentication.
• "Minimum password length" to 8 (make password guessing harder).
• Encrypted VPN or ssh tunnel.
• Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).

• • Instead of downgrading we encourage you to report issues and then upgrade to a fixed version.
  • A new unwanted feature can often be made optional by adding a setting to disable it.
  • To test customizations against a new version we recommend cloning the VM or DB to a test instance to try the upgrade out before applying it to the production version.
  • If only the last number of the version has changed, downgrade by replacing its lib directory with the old version.
  • If the second number in the version changes reverting the database structure will require a custom build.

Windows example of converting a Tomcat SSL certificate to Apache :

keytool -storepass 123 -keystore noodle.pfx -export -alias domain.tld -rfc -file cert.pem

keytool -storepass 123 -keystore noodle.pfx -export -alias root -rfc -file fullchain.pem
openssl pkcs12 -in noodle.pfx -nocerts -nodes > privkey.pem

Official keytool manual

Official openssl manual