Which setting is better, please consider both for inbound and outbound call’s by IS.
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
or
watt.net.ssl.client.handshake.maxVersion=tlsv1.2
watt.net.ssl.client.handshake.minVersion=tls
Do these settings have an effect on the above one’s?
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
Hi Sai,
only these entries are valid:
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
This engine does not support TLS v1.1, TLS v1.2 and newer.
“tls” stands for TLS v1.0 in this case.
Make sure you have defined watt.net.useJSSE to “true” to force usage of current TLS v1.x protocols.
The following entries should be shortend then to disable insecure versions:
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
should be set to the following for maximum security:
watt.net.jsse.client.enabledProtocols=TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1.2
TLS v1.3 is not yet supported.
watt.net.ssl-entries and watt.net.jsse-entries refer to two different SSL-engines while JSSE is preferred over Entrust (=SSL) nowadays.
See IS Administrators Guide for further information on these settings.
Regards,
Holger
Sai,
BTW, What is your IS Version and with the IS ext settings suggested above please prefer to use/enable TLSv1.2 and lesser the v1,v1.1 due to various vulnerabilities exist and defend your server. Also critical setting to note here is watt.net.useJSSE=true
HTH,
RMG
Thanks RMG and Holger,
what happens if my client server do not support TLSv1.2 for watt.net.jsse.client.enabledProtocols and watt.net.jsse.server.enabledProtocols.
and also if watt.server.scheduler.threadThrottle is set to 100 will this effect the server.
Please ask and convince your client/network team to start support TLSv1.2 (enablement) within their Firewall network as it resolves various vulnerabilities from the enterprise security standpoint which is the way to go with.
What is currently supported based on the info you have?
HTH,
RMG
Hi Sai,
I agree with RMG that you should try to convince your partner to allow for both versions (TLS v1.2 and TLS v1.3 if this already available).
TLS v1.3 is not yet available in wM suite afaik, but it should become available with one of the upcoming releases hopefully.
Depending on your IS version you will require some IS and Shared Fixes to make them aware of the proper TLS versions.
See Empower for KB Articles related to “POODLE”.
Starting with wM 9.x TLS v1.1 and TLS v1.2 will be available by default…
Can you try something like “openssl s_client -showcerts -connect yourPartnerHost:yourPartnerPort” to determine the maixum supported TLS version?
Regards,
Holger
If TLS1.2 is not support on the server end and IS acting as the SSL client, it will try to lower down to TLS 1.1 and TLS 1.0 in an attempt to evaluate if the server is able to support that. If they can find a common ground, then it will complete the handshake and the call when through.
I find this book useful to explain the details on SSL and how the handshake actually take place.