This article explains how to manage cipher suites used by TIBCO ActiveMatrix BusinessWorks™ 5 (BW).
How to check which cipher suites are enabled
If BW is the client, to identify which cipher suites are enabled, check TLS debug logs. The ClientHello handshake message shows the list of cipher suites supported by the client.
"ClientHello": { ..... ..... "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", ..... ..... }
If BW is the server, the utility sslscan (https://github.com/rbsec/sslscan/releases) can be used to identify which cipher suites are supported.
$sslscan localhost:9191 Version: 2.1.3 Windows 64-bit (Mingw) OpenSSL 3.0.9 30 May 2023 Connected to ::1 Testing SSL server localhost on port 9191 using SNI name localhost ..... ..... Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits ..... .....
How to check which cipher suite is used in a TLS session
To identify the cipher suite used in a TLS session, check TLS debug logs. The ServerHello handshake message shows the cipher suite used.
"ServerHello": { ..... ..... "cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)", ..... ..... }
How to restrict cipher suites
Cipher suites can be restricted on JRE level or application level.
JRE level
To disable a specific cipher suite, add it to the property jdk.tls.disabledAlgorithms in the security properties file. For example, to disable the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA, update the property as follows.
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves, \ TLS_RSA_WITH_AES_128_CBC_SHA
It is also possible to disable a set of cipher suites by specifying the relevant algorithm.
Application level
In cases where TLS is handled by BW, it is possible to disable cipher suites using the following property.
com.tibco.security.ssl.excludeCiphers
To disable specific cipher suites, specify the cipher suite names comma-separated. For example, to disable the cipher suites TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_128_CBC_SHA, set the property as follows.
java.property.com.tibco.security.ssl.excludeCiphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
A regular expression can be specified to disable a set of cipher suites. For example, to disable all the cipher suites with key exchange algorithm RSA, set the property as follows.
java.property.com.tibco.security.ssl.excludeCiphers=^(TLS_RSA).*
It is also possible to enable only specific cipher suites using the following property.
com.tibco.security.ssl.includeCiphers
For example, to enable the cipher suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 and disable all the other cipher suites, set the property as follows.
java.property.com.tibco.security.ssl.includeCiphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
In cases where TLS is handled by a third-party library, use the setting provided by the library. For example, when using MySQL Connector/J JDBC driver version 8.x to connect to MySQL server over TLS, the driver configuration property tlsCiphersuites can be used to restrict cipher suites. To enable the cipher suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 only, set the property in the JDBC URL as shown below.
jdbc:mysql://host:port/database?sslMode=VERIFY_CA&tlsCiphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now