Knowledge Base
Document information
Document ID: | 5313 |
---|
Subject: | How to enable Forward Secrecy for SynaMan/Syncrify |
---|
Creation date: | 9/12/19 11:25 AM |
---|
Last modified on: | 9/12/19 11:29 AM |
---|
Enabling Forward Secrecy
This article applies to both SynaMan and Syncrify
When deploying SynaMan/Syncrify for public use, we recommend you follow
industry best practices to make the SSL/TLS connections more secure.
This page discusses a few tips on how to make the SSL/TLS better in SynaMan.
SSL Ciphers
List of secure SSL Ciphers gradually change. When a vulnerability is discovered related to a particular cipher,
it gets deprecated and therefore, you should stop using it.
Following step demonstrate how to change the list of supported ciphers in SynaMan/Syncrify.
- Create/Modify server.properties file.
- Add the following property
ssl.cipher.list=List of commma separated cipher list
For example:
ssl.cipher.list=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Forward Secrecy
Along with using updated ciphers, you need the following line in
server.properties
to achieve forward secrecy.
jdk.tls.ephemeralDHKeySize=2048
TLS Protocol
If you wish to enable/disable certain TLS versions, use the following parameter in
server.properties
synametrics.https.sslProtocol=SSLv2Hello,TLSv1.1,TLSv1.2
The example above, will only use TLS1.1 and TLS1.2
Caution
Some older browsers may not support newer ciphers or TLS versions. Therefore, you may end up locking legitimate
users by tightening the ciphers too much.
Add a comment to this document
Do you have a helpful tip related to this document that you'd like to share
with other users? Please add it below. Your name and tip will appear at the
end of the document text.