The last 8.0.3 early access build includes a new config page titled “Web Server” under the “Networking” section along with significant changes to how SSL / TLS is managed. Following are the details:
The following properties may now be configured from the Gateway config web interface:
- HTTP Port
- HTTPS Port
- Force Secure Redirect
- Included Cipher Suites
- Excluded Cipher Suites
Changes to these properties take effect to the running Gateway immediately (no restart required). This is important to be aware of since this will affect any existing connections to the Gateway.
HTTP and HTTPS ports continue to be persisted in gateway.xml with properties
The force secure redirect flag is persisted in gateway.xml with property
gateway.forceSecureRedirect and defaults to
false. When set to true, the Gateway will redirect all HTTP traffic to HTTPS if HTTPS is set up (more on this below). This option deprecates the “Use SSL” option which used to exist in the “Gateway Settings” page but is now removed.
User included and excluded cipher suites are now persisted as a JSON-encoded array of Strings in gateway.xml with properties
gateway.excludedCipherSuites respectively. When the gateway starts up, if these properties are not set in gateway.xml, it will pull any values from system properties
excludedCiphers (where they used to be set) and set them accordingly in gateway.xml.
Note: changing these properties directly in the gateway.xml file on the filesystem will not affect the running Gateway until it is restarted. Only changes through the Gateway web interface take immediate effect without a restart.
SSL / TLS Setup
Prior to 8.0.3, setting up a genuine SSL certificate was a major pain point. We aim to improve that experience by introducing an SSL / TLS setup wizard in the new Web Server config page. The wizard will guide you through the process of generating a CSR and uploading the necessary server and CA certificates in the right order.
On upgrade, if SSL was already set up, it will continue to work. However, on fresh installs, SSL / TLS will not be setup by default. You must go through the SSL / TLS setup wizard to install an SSL certificate in order to enable HTTPS.
Note that it is also possible to delete the SSL certificate installed on the Gateway, which will disable SSL / TLS.
The Gateway’s SSL key store is now persisted in
$IGNITION/webserver/ssl.pfx formatted as a PKCS12 key store, an open standard supported by tools such as
openssl. The alias of the certificate chain and private key can be set using system property
ignition.ssl.keystore.alias (defaults to
ignition) and the password can be set using system property
ignition.ssl.keystore.password (also defaults to
Note: changing the key store file directly on the filesystem will not affect a running Gateway until it is restarted. Only changes though the Gateway web interface will take immediate effect without requiring a restart.
Stronger Default Cipher Suites
The following cipher suites have been excluded by default in order to increase the strength of the default SSL / TLS profile of the Gateway:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384
If you experience any issues connecting to the SSL port of the Gateway using the launchers, download the latest launchers from the Gateway, as we added support for stronger ciphers. As an alternative workaround, you could weaken your cipher suites by including one of the above, but that is not recommend.
Hope you all enjoy these new features!