How to Configure Enabled TLS Versions and Cipher Suites for Client Proxy?

By default, client proxy supports TLS 1.2 and cipher suites listed below when communicating with an information system:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

(*) Not supported in RHEL when OpenJDK is used.

It's possible to test if an information system supports Security Server's default configuration by issuing the command below on Security Server's host:

openssl s_client -tls1_2 -cipher 'EDH+aRSA+AES:!SHA' -connect {HOST}:{PORT}

Step-by-step guide

In case Security Server does not support the required TLS version and/or cipher suite(s), the default configuration can be overridden using the file:

/etc/xroad/conf.d/local.ini

All the configuration stored in /etc/xroad/conf.d/local.ini overrides configuration defined in other configuration files. The local.ini file is not overwritten during version updates so all the changes remain untouched over different X-Road versions. If you want to return to a default value at a later point, just remove the value from local.ini.

The xroad-proxy service must be restarted to make the changes effective.

sudo systemctl restart xroad-proxy

For example, when connecting IIS web server to a Security Server, the following changes to Security Server's configuration must be done using local.ini;

/etc/xroad/conf.d/local.ini
[proxy] client-tls-protocols=TLSv1.2 client-tls-ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA

For example, TLS 1.3 can be enabled in the connections between the Security Server and an information system using the following configuration:

/etc/xroad/conf.d/local.ini
[proxy] client-tls-protocols=TLSv1.2,TLSv1.3 client-tls-ciphers=(other ciphers),TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

Related articles