Setting HTTP SSL Ciphers
For an increased level of HTTP SSL security in TIBCO MFT Internet Server, running the server in FIPS mode is recommended.
If you do not have your MFT server running in FIPS mode however, and however higher HTTP SSL cipher strengths are required for client connections.
By default ciphers are set to the TLS protocol using 128-bit encryption or higher.
Procedure
-
Edit the following MFT configuration file to enforce certain SSL ciphers.
MFTIS_Install/server/conf/server.xmlWithin this file is a default HTTP connector, as seen in the example below:
Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="128" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_25 6_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_ CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_ 256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_S HA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_EC DHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T LS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS _ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS _DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TL S_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_E CDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_ WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WI TH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECD SA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_ RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDH E_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_E CDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH E_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" clientAuth="false" compression="off" connectionLinger="-1" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="true" keystoreFile="C:\MFTIS\keystore\keystore.jks" keystorePass="changeit" keystoreType="JKS" maxKeepAliveRequests="100" maxThreads="150" port="443" protocol="org.apache.coyote.http11.Http11Protocol" proxyPort="0" redirectPort="-1" scheme="https" secure="true" server="MFTServer" socket.txBufSize="131072" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS" tcpN trustManagerClassName="com.proginet.sift.tomcat.ssldap.TrustAllMgr"/>
Below is an example that will force client connections to maintain cipher strengths of 128 bit or greater.ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_25 6_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_ CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_ 256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_S HA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_EC DHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T LS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS _ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS _DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TL S_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_E CDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_ WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WI TH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECD SA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_ RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDH E_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_E CDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH E_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
Below is another example that will force client connections to maintain cipher strengths of 256bit or greaterNote: Only certain browsers will support 256 bit cipher strength. The ciphers in this example are from Oracle Java 8 update 40.ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
Take the example above and limit the ciphers in the default Connector to show how this would be changed, although limiting the cipher to one is not realistic and is only being done for demonstration purposes.<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="128" ciphers=" TLS_RSA_WITH_AES_256_CBC_SHA256" clientAuth="false" compression="off" connectionLinger="- 1" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="true" keystoreFile="C:\MFTIS\keystore\keystore.jks" keystorePass="changeit" keystoreType="JKS" maxKeepAliveRequests="100" maxThreads="150" port="443" protocol="org.apache.coyote.http11.Http11Protocol" proxyPort="0" redirectPort="-1" scheme="https" secure="true" server="MFTServer" socket.txBufSize="131072" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS" tcpNoDelay="true" trustManagerClassName="com.proginet.sift.tomcat.ssldap.TrustAllMgr"/>
- Once you have saved your changes, you must restart the application server.
Copyright © 2021. Cloud Software Group, Inc. All Rights Reserved.