Knowledge Base

Document information

Document ID:5313
Subject:How to enable Forward Secrecy for SynaMan/Syncrify
Creation date:9/12/19 11:25 AM
Last modified on:9/12/19 11:29 AM


Enabling Forward Secrecy

This article applies to both SynaMan and Syncrify

When deploying SynaMan/Syncrify for public use, we recommend you follow industry best practices to make the SSL/TLS connections more secure. This page discusses a few tips on how to make the SSL/TLS better in SynaMan.

SSL Ciphers

List of secure SSL Ciphers gradually change. When a vulnerability is discovered related to a particular cipher, it gets deprecated and therefore, you should stop using it.

Following step demonstrate how to change the list of supported ciphers in SynaMan/Syncrify.

  • Create/Modify server.properties file.
  • Add the following property
    ssl.cipher.list=List of commma separated cipher list
    For example:
    ssl.cipher.list=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Forward Secrecy

Along with using updated ciphers, you need the following line in server.properties to achieve forward secrecy.
jdk.tls.ephemeralDHKeySize=2048

TLS Protocol

If you wish to enable/disable certain TLS versions, use the following parameter in server.properties
synametrics.https.sslProtocol=SSLv2Hello,TLSv1.1,TLSv1.2
The example above, will only use TLS1.1 and TLS1.2

Caution

Some older browsers may not support newer ciphers or TLS versions. Therefore, you may end up locking legitimate users by tightening the ciphers too much.



Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post any questions here. Instead, use our public forums to post questions.

Navigation

Social Media

Powered by 10MinutesWeb.com