HTTPS Excluded Ciphers
Lists the weak ciphers that are excluded from the data-fabric HTTPS implementation.
By default, the following weak TLS/SSL ciphers are excluded from the data-fabric HTTPS implementation:
-
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
-
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
-
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Cipher Exclusion for Core Components
To exclude weak ciphers from the CLDB and Control System, typically you must
add the ciphers to the
java.security
file in the installed
java home path. However, the best practice for your JDK might be different.
For information about enabling and disabling ciphers, consult your JDK
documentation. In the following example, the
ECDHE-RSA-AES256-GCM-SHA384
cipher has been added to
java.security
:updated: java.security
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, TLS_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, DES, MD5withRSA,
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL,
include jdk.disabled.namedCurves
Because the cipher is excluded, using the
openssl
client to connect to the CLDB using this
cipher results in a handshake failure:
openssl s_client -connect 10.163.164.136:7443 -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
CONNECTED(00000005)
139705826673088:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 165 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1662472760
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: n