Nolio/RA - Changing protocols for endpoints
Article ID: 186568
Updated On:
Products
CA Release Automation - Release Operations Center (Nolio)
CA Release Automation - DataManagement Server (Nolio)
Issue/Introduction
How can we disable some protocol used by Release Automation components.
Environment
Release : 6.6 or higher
Component : CA RELEASE AUTOMATION CORE
Resolution
We at Release Automation, don't force using TLS1 for any endpoints. As for JMX we leave it to MX4J library to decide which protocols to allow and it in turn relies on current JVM's security policy. MXJ4 simply calls SSLContext.getInstance(m_sslProtocol), where m_sslProtocol has default value "TLS", and neither our code nor MX4J's code exposes this m_sslProtocol property to allow setting different value there via configs.
Interesting fact about that is even if we did expose this property and allow setting something like "TLSv1.2" instead of just "TLS" - it still wouldn't restrict clients to connect using TLSv1 because that's how Oracle decided to implement their providers (https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext ) - probably, for the sake of backward compatibility.
So given there is currently no way to restrict TLS version via our application's config, there is still Tomcat and JVM configs on top of it to look at.
As for the JVM config, there is a chapter called "Disable TLS 1.0 and TLS 1.1". It describes the way to restrict the protocols for the whole JVM by modifying "java.security" file at /jre/lib/security/. The properties from this file cannot be changed via JVM options. There are two ways to modify values for the properties in this file:
1. Just edit the file directly, change the default value for "jdk.tls.disabledAlgorithms" property into something like "SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768", save it, restart JVM.
2. Create a separate file, only with the properties that we want to override. For example, in our case it can only contain "jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768 ". Make sure that the original "java.security" file have property "security.overridePropertiesFile " set to "true". Restart the application specifying "-Djava.security.properties=<URL> " option, where URL is the path to file with overridden properties.
As per observation the option 1 is easy to implement.
Interesting fact about that is even if we did expose this property and allow setting something like "TLSv1.2" instead of just "TLS" - it still wouldn't restrict clients to connect using TLSv1 because that's how Oracle decided to implement their providers (https://docs.oracle.com/
So given there is currently no way to restrict TLS version via our application's config, there is still Tomcat and JVM configs on top of it to look at.
As for the JVM config, there is a chapter called "Disable TLS 1.0 and TLS 1.1". It describes the way to restrict the protocols for the whole JVM by modifying "java.security" file at /jre/lib/security/. The properties from this file cannot be changed via JVM options. There are two ways to modify values for the properties in this file:
1. Just edit the file directly, change the default value for "jdk.tls.disabledAlgorithms" property into something like "SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768", save it, restart JVM.
2. Create a separate file, only with the properties that we want to override. For example, in our case it can only contain "jdk.tls.disabledAlgorithms=
As per observation the option 1 is easy to implement.
Feedback
Yes
No
Powered by
