Jump to content
  • Managing cipher suites used by TIBCO ActiveMatrix BusinessWorks™ 5


    Kurian Kuruvilla

    This article explains how to manage cipher suites used by TIBCO ActiveMatrix BusinessWorks™ 5 (BW).

    How to check which cipher suites are enabled

    If BW is the client, to identify which cipher suites are enabled, check TLS debug logs. The ClientHello handshake message shows the list of cipher suites supported by the client. 

    "ClientHello": {
    .....
    .....
      "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), 
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), 
      TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), 
      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), 
      TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), 
      TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), 
      TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), 
      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), 
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), 
      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), 
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), 
      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), 
      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), 
      TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), 
      TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
     .....
     .....
    }

    If BW is the server, the utility sslscan (https://github.com/rbsec/sslscan/releases) can be used to identify which cipher suites are supported. 

    $sslscan localhost:9191
    Version: 2.1.3 Windows 64-bit (Mingw)
    OpenSSL 3.0.9 30 May 2023
    
    Connected to ::1
    
    Testing SSL server localhost on port 9191 using SNI name localhost
    
    .....
    .....
    
      Supported Server Cipher(s):
    Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
    Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
    Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
    Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 1024 bits
    Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
    Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
    Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve 25519 DHE 253
    Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 1024 bits
    Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve 25519 DHE 253
    Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
    Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve 25519 DHE 253
    Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
    Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve 25519 DHE 253
    Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
    
    .....
    .....

    How to check which cipher suite is used in a TLS session

    To identify the cipher suite used in a TLS session, check TLS debug logs. The ServerHello handshake message shows the cipher suite used.

    "ServerHello": {
    .....
    .....
      "cipher suite"        : "TLS_AES_128_GCM_SHA256(0x1301)",
    .....
    .....
    }

    How to restrict cipher suites

    Cipher suites can be restricted on JRE level or application level.

    JRE level

    To disable a specific cipher suite, add it to the property jdk.tls.disabledAlgorithms in the security properties file. For example, to disable the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA, update the property as follows.

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
        DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        include jdk.disabled.namedCurves, \
    TLS_RSA_WITH_AES_128_CBC_SHA

    It is also possible to disable a set of cipher suites by specifying the relevant algorithm. 

    Application level

    In cases where TLS is handled by BW, it is possible to disable cipher suites using the following property.

    com.tibco.security.ssl.excludeCiphers

    To disable specific cipher suites, specify the cipher suite names comma-separated. For example, to disable the cipher suites TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_128_CBC_SHA, set the property as follows.

    java.property.com.tibco.security.ssl.excludeCiphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

    A regular expression can be specified to disable a set of cipher suites. For example, to disable all the cipher suites with key exchange algorithm RSA, set the property as follows.

    java.property.com.tibco.security.ssl.excludeCiphers=^(TLS_RSA).*

    It is also possible to enable only specific cipher suites using the following property. 

    com.tibco.security.ssl.includeCiphers

    For example, to enable the cipher suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 and disable all the other cipher suites, set the property as follows.

    java.property.com.tibco.security.ssl.includeCiphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

    In cases where TLS is handled by a third-party library, use the setting provided by the library.   For example, when using MySQL Connector/J JDBC driver version 8.x to connect to MySQL server over TLS, the driver configuration property tlsCiphersuites can be used to restrict cipher suites. To enable the cipher suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 only, set the property in the JDBC URL as shown below.

    jdbc:mysql://host:port/database?sslMode=VERIFY_CA&tlsCiphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...