Jump to: navigation, search

Advanced TLS

This topic contains additional information about TLS.

Tuning Protocol Version Availability

In release 8.5.1, as part of the transition to OpenSSL from RSA Bsafe, the behavior of the sec-protocol option has been modified. sec-protocol supports the following modes: SSLv23 (the default), SSLv3, TLSv1, TLSv11, and TLSv12.

Important
Starting from Genesys Security Pack 8.5.100.16, the default implementation supports only TLS version 1.1 or higher. Any attempt to set up SSLv3 or TLSv1 value using the sec-protocol option will result in an error. The default behavior (when an option is not set or set to SSLv23 explicitly) will always result in negotiation of a minimum of TLS 1.1.

The availability of a particular protocol setting in sec-protocol strongly depends on the actual component version. Older components may not support this option at all. No components except PSDK and the most recent Management Framework servers support the TLSv12 value.

Generally, the protocol versions currently available are as follows:

  • On UNIX and Linux, TLS 1.2 is the highest available protocol with the OpenSSL Security Pack; TLS 1.1 with the RSA Security Pack.
  • On Windows, TLS 1.1 and TLS 1.2 are supported starting with Microsoft Vista / Server 2008. However, in most cases these must be enabled in the registry to become available. Genesys recommends that you explicitly enable the desired protocol version in the Windows registry; refer to the Windows document TLS/SSL Settings for more information about enabling and disabling protocols in the Windows registry
Warning
Genesys components use the Windows implementation of TLS on Windows platforms, and therefore Windows settings take precedence over sec-protocol settings. Genesys software is unable to use a protocol version if it is disabled on the Windows operating system level.


The supported protocol version modes can be categorized as one of two types:

  • strict mode—SSLv3, TLSv1, TLSv11, and TLSv12 are the strict protocol version modes. These settings can be used to enforce a specific protocol version. The connection will not be established if the remote server does not accept the enforced protocol version.
  • compatibility mode—SSLv23, the default mode, is compatible with all modes from SSLv2 up to and including TLSv12, and will connect with the highest mode offered by the other server. If SSL 2 ciphers are explicitly specified, the SSL 2 client can connect only to servers running in SSLv23 mode. Otherwise, the SSL 2 mode is deprecated; but it is highly vulnerable and is not recommended.

Tuning Available Cipher Lists

Normally, the set of available ciphers is provided by your InfoSec, and can be configured to the preferences of the user. The cipher-list configuration option allows the supporting Genesys component to select a list of cipher suites used in TLS. This option is transferred to a third-party library and describes the set of possible cipher suites.

Cipher List Formatting Rules

Important
This section describes cipher list format for an application using the Genesys common library. If you are configuring a cipher list for the PSDK-based application, refer to the Platform SDK Developer's Guide for the proper format, and more information about cipher lists in PSDK.

For applications using the Genesys common library, the cipher list string is a list of cipher operations. Each operation consists of an optional operator character followed by a name. Cipher list strings must conform to the following formatting rules:

[+] Show rules

Aliases

Ciphers also have aliases. The following table details the primary cipher aliases.

[+] Show table


Groups of commonly-used ciphers also have aliases. This enables multiple aliases to be specified easily. The following table details the cipher group aliases.

[+] Show table


Aliases can also be joined in a colon-separated list to specify the ciphers to add, move, or delete.

Example

The following is an example of a cipher string:

!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP

This cipher string is interpreted in the following sequence:

  1. Do not consider any ciphers that do not authenticate.
  2. Use ciphers that use RC4 and RSA.
  3. Include the HIGH, MEDIUM, and LOW security ciphers.
  4. Add all export ciphers.
  5. Pull all SSLv2 and export ciphers to the end of the list.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on August 31, 2018, at 06:50.