Pivotal GemFire 8.x and 9.x
The purpose of this article is to explain how the system administrator can disable certain cryptographic algorithms on GemFire members, in general, a recommend practice in critical environments in order to avoid security vulnerabilities and downgrade attacks.
Within GemFire, SSL communication allows configuration of connections to be SSL-based rather than plain socket connections; the SSL implementation ensures that only the applications identified by the user can share distributed system data in transit. The SSL feature can be enabled separately for peer-to-peer, client, JMX, gateway senders and receivers, HTTP connections, etc.
GemFire SSL connections use the Java Secure Sockets Extension (JSSE) package and, in general, the JVM does a good job while picking the latest and most secure available protocol. However, some JDKs don't have the newer protocols (like
TSLv1.2) enabled by default or, even when newer protocols can be used, older protocols are still enabled which could imply a security risk for the whole system.
The following chart depicts the protocols and algorithms supported in each JDK version:
To disable specific cryptographic algorithms during TSL handshaking at the JDK level, the property
jdk.tls.disabledAlgorithms within the file
jre/lib/security/java.security needs to be modified. Keep in mind that this file controls several wide aspects of the Java security mechanism, so it's always better to involve someone from IT/Security team prior to applying any changes.
As an example, to prevent the JDK from accepting connections using older protocols and force the clients to use
TLSv1.2, the property should look like
jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.
More information about Java Secure Socket Extension can be found in the official JSSE Reference Guide.