Hi,
as SSLv2 (SSLV2Hello) and SSLv3 (SSLv3) are both considered unsecure meanwhile they should no longer by allowed for either Type (JSSE/) or direction (server/client) as longer as this is really required by one of your partners.
Refer to the following iTracs:
PIE-34321
Enhancement to Integration Server to allow configuration of cipher
suites with JSSE connections.
Integration Server now contains server configuration properties
that you can use to specify the cipher suites used with inbound
and outbound JSSE communications.
Inbound JSSE Communications
To control the cipher suites used on Integration Server ports that
use JSSE and handle inbound requests, specify comma-separated
values for watt.net.jsse.server.enabledCipherSuiteList. To include
all the cipher suites supported by the JVM, specify a value of
default. For example:
watt.net.jsse.server.enabledCipherSuiteList=
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256
_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256
watt.net.jsse.server.enabledCipherSuiteList=default
The default value is default.
For changes to this property to take effect, you must start the
port. If the port is already started, you can restart it by
disabling the port and then enabling it.
Outbound JSSE Communications
To use JSSE for all of the outbound HTTPS connections from
Integration Server, specify a value of true for the
watt.net.ssl.client.useJSSE server configuration property. The
default value of this property is false, indicating that JSSE is
not used for outbound HTTPS connections.
Note: When executing the pub.client:http service, the value of the
useJSSE input parameter override the value of the
watt.net.ssl.client.useJSSE server configuration property.
To control the cipher suites used on JSSE sockets that are used
while making outbound HTTPS requests, specify comma-separated
values for the server configuration property
watt.net.jsse.client.enabledCipherSuiteList. To include all the
cipher suites supported by the JVM, specify a value of default.
For example:
watt.net.jsse.client.enabledCipherSuiteList=
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256
_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256
watt.net.jsse.client.enabledCipherSuiteList=default
The default values is default.
Note: Any changes you make to
watt.net.jsse.client.enabledCipherSuiteList affect new connections
only.
Note: When the logging facility 0006 Server SSL Interface is set
to the Debug logging level, Integration Server writes messages
about protocols used for inbound and outbound ports to the server
log. At the Trace logging level, Integration Server writes
messages about the enabled cipher suites.
In addition to the above changes for controlling cipher suites, to
provide backward compatibility, Integration Server now includes
SSLv2Hello as a default value for the server configuration
property watt.net.jsse.server.enabledProtocols. In PIE-34054, the
default value of watt.net.jsse.server.enabledProtocls was set to
"TLSv1,TLSv1.1,TLSv1.2". Now, the default value of
watt.net.jsse.server.enabledProtocls is
"SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2".
as well as
PIE-34054
Remove use of SSLv3 from any HTTPS or FTPS Integration Server
ports.
In order to protect against POODLE vulnerability (CVE-2014-3566)
, this fix exposes server configuration parameters that allow
you to disable the use of SSLv3.0 on Integration Server HTTPS
and FTPS ports.
Depending on whether connections use the Entrust library
(entoolkit.jar) or JSSE (where useJSSE=true), you use a
different procedure to disable SSLv3.0. Follow the appropriate
procedure as follows:
For connections that use Entrust (entoolkit.jar) library:
--------------------------------------------------------- When
Integration Server uses the Entrust library to handle inbound
and outbound requests, you disable SSLv3.0 by setting the
following server configuration parameters:
- watt.net.ssl.server.handshake.minVersion
- watt.net.ssl.server.handshake.maxVersion
Possible values for these server configuration parameters are
"sslv3" and "tls" (the default). With this fix, these two
parameters take the default value "tls", which indicates that
all server side SSL listeners will support only TLSv1 and no
longer accept SSLv3 connections.
When Integration Server acts as a client and makes an outbound
request, it configures the allowed protocols using the
following server configuration parameters:
- watt.net.ssl.client.handshake.minVersion=sslv2
- watt.net.ssl.client.handshake.maxVersion=tls
Possible values for these server configuration parameters are
"sslv2", "sslv3", and "tls". If you want to disable the use of
"sslv3", set watt.net.ssl.client.handshake.minVersion as
follows: watt.net.ssl.client.handshake.minVersion=tls
To change the values of the server configuration parameters,
from Integration Server Administrator, navigate to Settings >
Extended and add the parameters as follows:
- watt.net.ssl.server.handshake.minVersion=tls
- watt.net.ssl.server.handshake.maxVersion=tls
- watt.net.ssl.client.handshake.minVersion=tls
- watt.net.ssl.client.handshake.maxVersion=tls
If any of your clients require SSLv3 to connect (the previous
default), set watt.net.ssl.server.handshake.minVersion as
follows: watt.net.ssl.server.handshake.minVersion=sslv3
When making outbound connections, you can configure Integration
Server to first try to connect using sslv3 and, if that fails,
to use tlsv1, set watt.net.ssl.client.handshake.minVersion as
follows: watt.net.ssl.client.handshake.minVersion=sslv3
This will allow Integration Server to use sslv3 with endpoints
that do not support tlsv1.
For connections that use JSSE (where useJSSE=true):
---------------------------------------------------
When Integration Server uses JSSE to handle inbound and
outbound requests, you disable SSLv3.0 by setting the following
server configuration parameters:
- watt.net.jsse.server.enabledProtocols
- watt.net.jsse.client.enabledProtocols
Possible values for these server configuration parameters are a
comma-separated values consisting of one or more of the
following:
- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
With this fix, watt.net.jsse.server.enabledProtocols and
watt.net.jsse.client.enabledProtocols are set to the default
value of "TLSv1,TLSv1.1,TLSv1.2", which indicates that all
server side SSL listeners and client side outbound connections
that use JSSE will not accept any SSLv3 or SSLv2 connections.
To change the values of the parameters, from Integration Server
Administrator, navigate to Settings > Extended and add the
parameters as follows:
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
Note: These values are case-sensitive. Specify the values
exactly as shown.
If any of your clients need to connect using SSLv3, add SSLv3
to watt.net.jsse.server.enabledProtocols, for example:
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2,SSLv3
When starting JSSE ports, at DEBUG level of logging
facility 6 (Server SSL Interface), Integration Server
logs a message to indicate what protocols are enabled
for each JSSE port.
for further informations.
Regards,
Holger