Summary
This article describes how to disable specific versions of TLS support to only use a more updated version. This article is written with an example on disabling TLSv1, TLSv1.1 support and accept all requests using only TLSv1.2, but should be able to be used as reference for similar version patterns in the future.
Solution
Users interact with the ElectricFlow (Commander) server through a web interface. The Electric Flow web interface is hosted in an Apache web server, which listens on the 80 (unsecure) and 443 (secure) ports and Commander server is a Jetty-based application server that uses Jetty (a Java HTTP server), which listens on the 8000 (unsecure) and 8443 (secure) ports. Apache web-server interacts with Jetty through HTTP and HTTPS requests.
To accept all request using only TLSv1.2 in Apache HTTPS port 443 and Jetty HTTPS port 8443 use the following steps. Before making those changes we highly recommend to make backups of the files you are going to modify.
Changes for Apache:
In /opt/electriccloud/electriccommander/apache/conf/ssl.conf change:
SSLProtocol All -SSLv2 -SSLv3to:
SSLProtocol TLSv1.2Restart Apache server
Changes to Jetty:
In /opt/electriccloud/electriccommander/jre/lib/security/java.security change:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
EC keySize < 224
to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
EC keySize < 224, TLSv1, TLSv1.1
Changes to the server:
In /opt/electriccloud/electriccommander/conf/wrapper.conf change:
wrapper.java.additional.310=-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"to
wrapper.java.additional.310=-Djdk.tls.client.protocols="TLSv1.2"and add the line
wrapper.java.additional.311=-Djdk.tls.disabledAlgorithms="SSLv3, RC4, DH keySize < 768, EC keySize < 224, TLSv1, TLSv1.1"Restart commander server.
Verify that changes were applied by checking ssl handshake connection. You can do it using these commands
Check TLSv1.2 support on apache server
sudo -i
then
export LD_LIBRARY_PATH=/opt/electriccloud/electriccommander/lib && /opt/electriccloud/electriccommander/bin/openssl s_client -connect <EF_SERVER>:443 -tls1_2 > connect_tls1_2_handshake_Web_server.txt 2>&1Try to use Ctrl+C if the second command is not completing
Check TLSv1.2 support on commander server
sudo -i
then
export LD_LIBRARY_PATH=/opt/electriccloud/electriccommander/lib && /opt/electriccloud/electriccommander/bin/openssl s_client -connect <EF_SERVER>:8443 -tls1_2 > connect_tls1_2_handshake_EF_server.txt 2>&1Try to use Ctrl+C if the second command is not completing
Applies to
OS versions: Linux
Comments