By default, client proxy supports TLS 1.2 and cipher suites listed below when communicating with an information system:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(*) Not supported in RHEL when OpenJDK is used.
It's possible to test if an information system supports Security Server's default configuration by issuing the command below on Security Server's host:
openssl s_client -tls1_2 -cipher 'EDH+aRSA+AES:!SHA' -connect {HOST}:{PORT} |
In case Security Server does not support the required TLS version and/or cipher suite(s), the default configuration can be overridden using the file:
/etc/xroad/conf.d/local.ini
All the configuration stored in /etc/xroad/conf.d/local.ini
overrides configuration defined in other configuration files. The local.ini
file is not overwritten during version updates so all the changes remain untouched over different X-Road versions. If you want to return to a default value at a later point, just remove the value from local.ini
.
The
|
For example, when connecting IIS web server to a Security Server, the following changes to Security Server's configuration must be done using local.ini
;
[proxy] client-tls-protocols=TLSv1.2 client-tls-ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA |
For example, TLS 1.3 can be enabled in the connections between the Security Server and an information system using the following configuration:
[proxy] client-tls-protocols=TLSv1.2,TLSv1.3 client-tls-ciphers=(other ciphers),TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 |
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.