Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 19 Using the SSL Protocol : Specifying Cipher Suites

Specifying Cipher Suites
On the EMS server, specify cipher suites using the ssl_server_ciphers configuration parameter in tibemsd.conf. For more information about server configuration files, see Chapter 7, Using the Configuration Files.
For clients connecting with a connection factory, specify cipher suites using the ssl_ciphers connection factory parameter. For more information, see Configuring SSL in EMS Clients.
Syntax for Cipher Suites
EMS uses OpenSSL for SSL support. Therefore, the cipher suite names can be specified as the OpenSSL name for the cipher suite.
When specifying cipher suites, the usual way to specify more than one cipher suite is to separate each suite name with a colon (:) character. Alternatively, you can use spaces and commas to separate names.
Java Client Syntax
The syntax for specifying the list of cipher suites is different for Java clients than for any other location where cipher suites can be specified. For Java clients, you specify a qualifier (for example, + to add the suite) followed by the cipher suite name. Cipher suite names are case-sensitive. Table 82 describes the qualifiers you can use when specifying cipher suite names in a ConnectionFactory for Java clients.
 
This example specifies cipher suites in the ssl_ciphers connection factory parameter in a Java client:
-ALL:+RC4-MD5:+DES-CBC-SHA:<DES-CBC3-SHA
This example specifies cipher suites using full names:
-ALL:+SSL_RSA_WITH_RC4_128_MD5:+SSL_RSA_WITH_DES_CBC_SHA:<SSL_RSA_WITH_3DES_EDE_CBC_SHA
Syntax for All Other Cipher Suite Specifications
For any cipher suite list that is not specified in a connection factory of a Java client, use the OpenSSL syntax. In particular, C clients and the ssl_server_ciphers configuration parameter require OpenSSL syntax.
In OpenSSL syntax, specifying a cipher suite name adds that cipher suite to the list. Each cipher suite name can be preceded by a qualifier. Cipher suite names are case-sensitive. Table 83 describes the qualifiers available using OpenSSL syntax.
 
If the / does not prefix the cipher list, then EMS prefixes the cipher list with the OpenSSL cipher string DEFAULT.
This example specifies cipher suites in the ssl_server_ciphers configuration parameter.
ssl_server_ciphers = -ALL:RC4-MD5:DES-CBC-SHA:DES-CBC3-SHA
This example illustrates disables RC4-MD5, then adds all other ciphers:
ssl_server_ciphers = !RC4-MD5:ALL
Default Cipher List
The EMS server and C client library hard-code a default cipher list, which is equivalent to ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH.
Supported Cipher Suites
In general, the EMS server and C client library support all cipher suites that OpenSSL supports, except IDEA, RC-5 and CAST. For a complete list, see current OpenSSL documentation.
Supported Cipher Suites for Java Clients
Java clients support only the cipher suites listed in Table 84. For convenience, the table lists both the standard name and the OpenSSL name for each cipher suite.
 
Supported Cipher Suites for .NET Clients
.NET client support only the following cipher suites:
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved