HTTPS Excluded Ciphers

Lists the weak ciphers that are excluded from the data-fabric HTTPS implementation.

By default, the following weak TLS/SSL ciphers are excluded from the data-fabric HTTPS implementation:

  • SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Cipher Exclusion for Core Components

To exclude weak ciphers from the CLDB and Control System, typically you must add the ciphers to the java.security file in the installed java home path. However, the best practice for your JDK might be different. For information about enabling and disabling ciphers, consult your JDK documentation. In the following example, the ECDHE-RSA-AES256-GCM-SHA384 cipher has been added to java.security:
updated: java.security
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, TLS_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, DES, MD5withRSA, 
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, 
include jdk.disabled.namedCurves
Because the cipher is excluded, using the openssl client to connect to the CLDB using this cipher results in a handshake failure:
openssl s_client -connect 10.163.164.136:7443 -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
CONNECTED(00000005)
139705826673088:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 165 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1662472760
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: n