Pivotal Knowledge Base

Follow

Disabling Cryptographic Algorithms During TSL Handshaking

Environment

Pivotal GemFire 8.x and 9.x

Purpose

The purpose of this article is to explain how the system administrator can disable certain cryptographic algorithms on GemFire members, in general, a recommend practice in critical environments in order to avoid security vulnerabilities and downgrade attacks.

Description

Within GemFire, SSL communication allows configuration of connections to be SSL-based rather than plain socket connections; the SSL implementation ensures that only the applications identified by the user can share distributed system data in transit. The SSL feature can be enabled separately for peer-to-peer, client, JMX, gateway senders and receivers, HTTP connections, etc.

GemFire SSL connections use the Java Secure Sockets Extension (JSSE) package and, in general, the JVM does a good job while picking the latest and most secure available protocol. However, some JDKs don't have the newer protocols (like TSLv1.2) enabled by default or, even when newer protocols can be used, older protocols are still enabled which could imply a security risk for the whole system.

The following chart depicts the protocols and algorithms supported in each JDK version:

Screen_Shot_2017-11-01_at_9.15.56_AM.png

To disable specific cryptographic algorithms during TSL handshaking at the JDK level, the property jdk.tls.disabledAlgorithms within the file jre/lib/security/java.security needs to be modified. Keep in mind that this file controls several wide aspects of the Java security mechanism, so it's always better to involve someone from IT/Security team prior to applying any changes.

As an example, to prevent the JDK from accepting connections using older protocols and force the clients to use TLSv1.2, the property should look like jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.

References

GemFire SSL configuration details can be found in the SSL chapter within the User's Guide.

More information about Java Secure Socket Extension can be found in the official JSSE Reference Guide.

Comments

Powered by Zendesk