Skip to main content
AdoboAdobo
Participant
March 9, 2018
Question

Where to specify? SSL Protocol and Cipher Suite

  • March 9, 2018
  • 1 reply
  • 949 views

Please assist in determining the correct place to specify preferred SSL Protocol and Cipher Suite for AMS?

Example:

sslProtocol="TLSv1.2"

cipher-suite="TLS_ECDHE_RSA_WITH_AES256_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"

This topic has been closed for replies.

1 reply

Adobe Employee
March 12, 2018

Hi there,

What is the requirement to specify a certain version for SSL?

For Cipher suite please see Server.xml (Line 111) under <ams installation root folder>\conf\ and in Adaptor.xml (Line 254) under <ams installation root folder>\conf\_defaultRoot_.

Regards

Sanjeev

AdoboAdobo
Participant
March 12, 2018

TLSv1.2 is the advised SSL Protocol version our Security Team requires us to implement (Is it possible to specify this?). In regards to the Cipher Suite, I see that the format in adaptor and server XML files uses the following:

Would it still function the same way if I use the following format:

cipher-suite="TLS_ECDHE_RSA_WITH_AES256_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"

Thanks

Adobe Employee
March 13, 2018

Hi,

Choosing cipher suite is a browser consideration. As far as AMS is concerned it supports all cipher suites, since we are almost always on latest version of openssl.

check the ciphers supported by the browser using this link : SSL Cipher Suites Supported By Your Browser

About the format, here is an example on how you can use additional attribute for ciphers -

<SSLCipherSuite>

EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

</SSLCipherSuite>

Note: AMS does not support SSLv2 or V3 anymore. So, any ciphers which rely on SSLv3 and SSLv2 would not be considered in server-client handshake.

Regards

Sanjeev