Is it currently possible to disable TLSv1 and only use 1.1 or 1.2?
Yes, you can add the following JVM flag to ignition.conf and restart the gateway:
-DexcludedCiphers=TLSv1
This accepts a comma-separated list of exclusions if you need to exclude more.
Just be aware that if you disable TLSv1, you won’t be able to use any clients running on Java 6.
The "-DexcludedCiphers=TLSv1" exclude worked, and yes by disabling TLSv1 it also insures the client end to upgrade their Java as well so that is not a problem.
Now one other issue I have found. Previously I had the following;
wrapper.java.additional.6=-> Dciphers=TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
However when doing Digicert lookup it showed the following;
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Which I would not want enabled. This is in /etc/ignition/ignition.conf. Is there another config file where it is reading the ciphers to use?
No, there’s no other file. However, you can include both ciphers and protocols in your excluded ciphers list, as comma separated values.
Kathy thanks for a quick reply!
I think I am doing something wrong, because the following ciphers are still showing up (or the test is wrong). I am using https://cryptoreport.websecurity.symantec.com/checker/ for a quick test. What I have in ignition.conf exactly is;
wrapper.java.additional.8=-Dciphers=TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
wrapper.java.additional.8=-DexcludedCiphers=TLSv1,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
This is ideally what I am targeting, but I am still showing after restart:
Cipher suites enabled:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Should I include the ciphers on a separate line from the protocol exclusion?
Looks like those two are supported by TLS v1.2, so yeah, you’ll need to exclude them specifically. Exclude them on the same line, but IIRC sometimes you need to use an alias, so also try excluding DES-CBC3-SHA and DHE-RSA-DES-CBC3-SHA to see if that helps.
So I have now tried this;
wrapper.java.additional.5=-DexcludedCiphers=TLSv1,DES-CBC3-SHA,DHE-RSA-DES-CBC3-SHA
While TLSv1 is now disabled, ssl security scan shows that DES and 3DES are still an option. Is there another method or am I possibly using the wrong name for the ciphers?