By default, client proxy supports TLS 1.2 and cipher suites listed below when communicating with an information system:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

(*) Not supported in RHEL when OpenJDK is used.

It's possible to test if an information system supports Security Server's default configuration by issuing the command below on Security Server's host:

openssl s_client -tls1_2 -cipher 'EDH+aRSA+AES:!SHA' -connect {HOST}:{PORT}

Step-by-step guide

In case Security Server does not support the required TLS version and/or cipher suite(s), the default configuration can be overridden using the file:

/etc/xroad/conf.d/local.ini

All the configuration stored in /etc/xroad/conf.d/local.ini overrides configuration defined in other configuration files. The local.ini file is not overwritten during version updates so all the changes remain untouched over different X-Road versions. If you want to return to a default value at a later point, just remove the value from local.ini.

For example, when connecting IIS web server to a Security Server, the following changes to Security Server's configuration must be done using local.ini;

/etc/xroad/conf.d/local.ini

[proxy]
client-tls-protocols=TLSv1.2
client-tls-ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA

For example, TLS 1.3 can be enabled in the connections between the Security Server and an information system using the following configuration:

/etc/xroad/conf.d/local.ini

[proxy]
client-tls-protocols=TLSv1.2,TLSv1.3
client-tls-ciphers=(other ciphers),TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

Related articles

Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.