Knowledge Base

Document information

Document ID:5313
Subject:How to enable Forward Secrecy for SynaMan/Syncrify
Creation date:9/12/19 11:25 AM
Last modified on:9/12/19 11:29 AM


Enabling Forward Secrecy

This article applies to both SynaMan and Syncrify

When deploying SynaMan/Syncrify for public use, we recommend you follow industry best practices to make the SSL/TLS connections more secure. This page discusses a few tips on how to make the SSL/TLS better in SynaMan.

SSL Ciphers

List of secure SSL Ciphers gradually change. When a vulnerability is discovered related to a particular cipher, it gets deprecated and therefore, you should stop using it.

Following step demonstrate how to change the list of supported ciphers in SynaMan/Syncrify.

  • Create/Modify server.properties file.
  • Add the following property 
    ssl.cipher.list=List of commma separated cipher list
    For example: 
    ssl.cipher.list=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Forward Secrecy

Along with using updated ciphers, you need the following line in server.properties to achieve forward secrecy. 
jdk.tls.ephemeralDHKeySize=2048

TLS Protocol

If you wish to enable/disable certain TLS versions, use the following parameter in server.properties 
synametrics.https.sslProtocol=SSLv2Hello,TLSv1.1,TLSv1.2
The example above, will only use TLS1.1 and TLS1.2

Caution

Some older browsers may not support newer ciphers or TLS versions. Therefore, you may end up locking legitimate users by tightening the ciphers too much.



Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters

Navigation

Social Media

Powered by 10MinutesWeb.com