LabKey's Recommended SSL configuration for LabKey Servers: /home/Support/Inactive Forums/Server Forum (Inactive)

LabKey's Recommended SSL configuration for LabKey Servers

Installation Forum (Inactive)

View Message

view list print

LabKey's Recommended SSL configuration for LabKey Servers	Brian Connolly	2014-12-15 15:22

Status: Closed

Due to recently reported vulnerabilities in SSL, LabKey is updating our recommended SSL configuration for LabKey Servers. The new recommended SSL configuration (ie the HTTPS connector configuration for Tomcat) uses RSA keys in the certificate and private key only TLSv1, TLSv1.1, TLSv1.2 protocols (SSLv2 and SSLv3 are disabled) industry recommended CIPHER list (See [1] and [2]) The HTTPS connector configuration we recommend is <!-- Define HTTPS connector. --> <Connector port="443" scheme="https" secure="true" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLSv1" ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA" protocol="org.apache.coyote.http11.Http11Protocol" executor="tomcatSharedThreadPool" acceptCount="100" connectionTimeout="20000" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" minSpareThreads="25" useBodyEncodingForURI="true" URIEncoding="UTF-8" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/css,application/json" keystoreType="pkcs12" keystorePass="changeit" keystoreFile="/path/to/keystore.tomcat" /> This configuration has been tested on a number of LabKey managed servers. And over the next 2 months, we will upgrade all LabKey Servers we manage to use this new configuration. You can use the connector configuration above or you can download an example Tomcat configuration file, which uses this configuration, from our Samples repository on Github. Our Previous Recommendation For the last year and a half, LabKey has recommended a SSL configuration (ie HTTPS connector configuration in Tomcat), for LabKey Servers, which used: SSLv3 and TLSv1+ protocols for SSL and RC4 ciphers. When we first started recommending this configuration it was created using industry best practices and it protected against most of the known SSL vulnerabilities (HEARTBLEED, BEAST, etc.). However, over the past 6 months, vulnerabilities have been discovered in the SSLv3 protocol (see the POODLE vulnerability) and in using RC4 based ciphers. As a result, we have updated our recommended configuration.