AGM SSL configuration best practice

  • KM02061609
  • 18-Jan-2016
  • 21-Jan-2016

Summary

This is a best practice article about how to configure AGM SSL

Question

This article provides a best practice for configuring the AGM SSL properly. Proper SSL configuration disables weak protocol(SSLv3) and enables only strong ciphers and thus mitigates your AGM instance against:

1. Poodle SSL vulnerability.
2. Bar Mitzvah vulnerability.
3. LogJam vulnerability.

Answer

To configure the SSL settings correctly,  please add the highlighted parts to the definition of the Jetty SSL connector:

<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
     <Set name="ExcludeProtocols">
         <Array type="java.lang.String">            
             <Item>SSLv3</Item>
         </Array>
     </Set>
  </New>

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
        <Arg><Ref id="sslContextFactory" /></Arg>
        <Set name="IncludeCipherSuites">
          <Array type="java.lang.String">
             <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
             <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
             <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>   
          </Array>       
        </Set>
      </New>
    </Arg>
  </Call>

</Configure>