You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Configuration of allowed TLS versions and ciphers for Monitoring Station

Communications between Monitoring Station and Agents. Add list of allowed TLS versions and ciphers in uptime.conf using clientSocketTlsVersion, clientSocketCiphers and ‘:’ as delimiter, for example:

clientSocketTlsVersion= TLSv1.2

or

clientSocketTlsVersion= TLSv1.0: TLSv1.1:TLSv1.2
clientSocketCiphers=TLS_RSA_WITH_AES_256_CBC_SHA256

or

clientSocketCiphers= TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_RSA_WITH_AES_256_CBC_SHA256

Web application monitoring. Add list of allowed TLS versions and ciphers in uptime.conf using clientHttpCiphers, clientHttpTlsVersion and ‘:’ as delimiter, for example:

clientHttpCiphers= TLS_RSA_WITH_AES_256_CBC_SHA256

or

clientHttpCiphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_RSA_WITH_AES_256_CBC_SHA256
clientHttpTlsVersion=TLSv1.2

or  

clientHttpTlsVersion=TLSv1.0: TLSv1.1:TLSv1.2

For a full list of supported ciphers, see the Java SE 7 column of the Default Enabled Cipher Suites table in http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html.

Configuration of allowed TLS versions and ciphers for Agents/Stunnel

In uptmagnt.conf specify ‘sslVersion’ and ‘ciphers’ to allow specific TLS versions and ciphers, for example:

ciphers = ECDHE-ECDSA-AES256-SHA384:AES256-SHA256:PSK

or

ciphers = AES256-SHA256

To enable specific SSL/TLS versions you need to disable all other possible versions. For example to enable only TLSv1.2 add following to uptmagnt.conf:

options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

To enable TLSv1.1 and TLSv1.2 use following options:

options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1

Example of uptmagnt.conf with specific TLS version and cipher:

cert = /etc/stunnel/uptmagnt.pem
exec = /opt/uptime-agent/bin/uptimeagent
 
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
ciphers=AES256-SHA256:PSK

For more information about Stunnel configuration, see https://www.stunnel.org/static/stunnel.html#OPTIONS, https://www.stunnel.org/pipermail/stunnel-users/2015-March/004985.html  

  • No labels