Page Comparison

By default, client proxy supports TLS 1.2 and cipher suites listed below when communicating with an information system:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

(*) Not supported in RHEL when OpenJDK is used.

...

Info

"xroad-proxy" service must be restarted to make the changes effective.

# Ubuntu
service xroad-proxy restart

# RHEL
systemctl restart xroad-proxy

For example, when connecting IIS web server to a Security Server, the following changes to Security Server's configuration must be done using local.ini;

...

/etc/xroad/conf.d/local.ini

Code Block

[proxy]
client-tls-protocols=TLSv1.2
client-tls-ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA

For example, TLS 1.3 can be enabled in the connections between the Security Server and an information system using the following configuration:

...

/etc/xroad/conf.d/local.ini

Code Block
[proxy] client-tls-protocols=TLSv1.2,TLSv1.3 client-tls-ciphers=(other ciphers),TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

Versions Compared

Old Version 14

New Version 15

Key

/etc/xroad/conf.d/local.ini

/etc/xroad/conf.d/local.ini

Related articles