By default, client proxy supports TLS 1.2 and cipher suites listed below when communicating with an information system:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(*) Not supported in RHEL when OpenJDK is used.
...
Info |
---|
"xroad-proxy" service must be restarted to make the changes effective.
|
For example, when connecting IIS web server to a Security Server, the following changes to Security Server's configuration must be done using local.ini;
...
/etc/xroad/conf.d/local.ini
Code Block |
---|
[proxy] client-tls-protocols=TLSv1.2 client-tls-ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA |
For example, TLS 1.3 can be enabled in the connections between the Security Server and an information system using the following configuration:
...
...
/etc/xroad/conf.d/local.ini
Code Block |
---|
[proxy] client-tls-protocols=TLSv1.2,TLSv1.3 client-tls-ciphers=(other ciphers),TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 |
Related articles
Filter by label (Content by label) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
...
...
|
...
hidden | true |
---|
...