Enforcing SSL Protocol and Minimum Encryption Key Strength with Pramati Server
While taking advantage of secured communication using https protocol, some times it is desirable to customize the default behavior of the ssl negotiation. This could be enforcing use of a more secured protocol than outdated ones or enforcing use of a minimum encryption key strength.
Depending on which protocol is used and the encryption key strength, both browser(client) and server maintain a list of supported Cipher Suites. User can choose which Cipher Suites to allow by restricting the server supported Cipher Suites. These server side Cipher Suites can be chosen depending on minimum encryption key strength desired .
Pramati server now comes with inbuilt support for such customizations which can be enabled or disabled using certain start-up options. The feature is available on Pramati Server Versions 5.0 SP4 onwards.
The following JVM options are available for enabling/disabling various cipher suites:
i) com.pramati.web.ssl.enabledCipherSuites (Enabled Cipher Suites comma separated values)
ii) com.pramati.web.ssl.disabledCipherSuites (Disabled Cipher Suites comma separated values)
Using above options, the enabled protocols can be specified and the undesired cipher suites with low bit encryption can be disabled through JVM Options in server startup java command. For example:
-Dcom.pramati.web.ssl.disabledCipherSuites=EXP1024-DHE-DSS-DES-CBC-SHA,EXP1024-DES-CBC-SHA,EXP1024-RC2-CBC-MD5,EDH-RSA-DES-CBC-SHA,EDH-DSS-DES-CBC-SHA,DES-CBC-SHA,EXP1024-DHE-DSS-RC4-SHA,EXP1024-RC4-SHA,EXP1024-RC4-MD5,EXP-EDH-RSA-DES-CBC-SHA,EXP-EDH-DSS-DES-CBC-SHA,EXP-DES-CBC-SHA,EXP-RC2-CBC-MD5,EXP-RC4-MD5,EXP1024-DHE-DSS-DES-CBC-SHA,EXP1024-DES-CBC-SHA,EXP1024-RC2-CBC-MD5,EDH-RSA-DES-CBC-SHA,EDH-DSS-DES-CBC-SHA,DES-CBC-SHA,EXP1024-DHE-DSS-RC4-SHA,EXP1024-RC4-SHA,EXP1024-RC4-MD5,EXP-EDH-RSA-DES-CBC-SHA,EXP-EDH-DSS-DES-CBC-SHA,EXP-DES-CBC-SHA,EXP-RC2-CBC-MD5,EXP-RC4-MD5
The above properties need to added into the <server-install>/server/bin/runserver.bat (assuming that this batch file is used to start the server)as following:
java -server -Dcom.pramati.web.ssl.disabledCipherSuites=EXP1024-DHE-DSS-DES-CBC-SHA,EXP1024-DES-CBC-SHA,EXP1024-RC2-CBC-MD5,EDH-RSA-DES-CBC-SHA,EDH-DSS-DES-CBC-SHA,DES-CBC-SHA,EXP1024-DHE-DSS-RC4-SHA,EXP1024-RC4-SHA,EXP1024-RC4-MD5,EXP-EDH-RSA-DES-CBC-SHA,EXP-EDH-DSS-DES-CBC-SHA,EXP-DES-CBC-SHA,EXP-RC2-CBC-MD5,EXP-RC4-MD5,EXP1024-DHE-DSS-DES-CBC-SHA,EXP1024-DES-CBC-SHA,EXP1024-RC2-CBC-MD5,EDH-RSA-DES-CBC-SHA,EDH-DSS-DES-CBC-SHA,DES-CBC-SHA,EXP1024-DHE-DSS-RC4-SHA,EXP1024-RC4-SHA,EXP1024-RC4-MD5,EXP-EDH-RSA-DES-CBC-SHA,EXP-EDH-DSS-DES-CBC-SHA,EXP-DES-CBC-SHA,EXP-RC2-CBC-MD5,EXP-RC4-MD5 -Dinstall.root=$install_root -Djava.security.policy=$install_root/lib/pramati/pramati.java.policy -Djava.security.auth.policy=$install_root/lib/pramati/pramati.jaas.policy -Djacorb.home=$install_root/lib/tp/jacorb -Djava.endorsed.dirs=$install_root/lib/std/endorsed com.pramati.Server
For *nix and Solaris systems the runserver.sh file can be used. In case the server is started as service, these options can be listed in the JVM options section in <server-install>/services/j2eeserver/pramati_server_<node-name>.conf
wrapper.java.additional.<n>=-Dcom.pramati.web.ssl.disabledCipherSuites=……
<n> being the number next to the already existing parameter list in the “wrapper.java.additional” section.
The Cipher suites mentioned here are for example only. User can replace them with the names of applicable cipher suites that is intended to blocked. If only selected cipher suites need to be allowed user can use the “-Dcom.pramati.web.ssl.enabledCipherSuites=……..” option.
As these changes are passed on as JVM options, a restart of server shall be required to apply the changes.
Note: The SSL handshake is at Socket level which is handled by the underlying JDK. The above mentioned options are hence internally passed on to JVM for restricting the SSL communication. As such, without these options in place server shall support all Protocols and Ciphers as supported by the underlying JDK/JVM.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Really decent post… I love it. Keep ‘em coming…