Tigase allows adjusting the most important parameters used when establishing TLS connections - set of protocols and ciphers
that will be used during negotiation of the connection. The single most important is hardened-mode
- it’s the most general configuration and offers three-step adjustment of the settings - please see the section called “hardened-mode” for details. hardened-mode
can be configured both via TDSL configuration file (either on root
level or for sslContextContainer
for particular connection managers) or on VHost level.
If you want to disable certain protocols or ciphers you can use two options: tls-disabled-protocols
and tls-disabled-ciphers
respectively. They allow, as name suggests, disabling certain items from default sets. They both takes an array of strings,
which ten be removed from the lists.
Let’s say you’d like to remove support for SSL
, SSLv2
and SSLv3
protocols. You should simply use following configuraiton: 'tls-disabled-protocols' = ['SSL', 'SSLv2', 'SSLv3']
. Complete list of protocols depends on particular Java version that you use - please refer to the documentation for details.
For example for the default Java11 list you can check SSLContext Algorithms
tls-disabled-ciphers
follows same format and uses names defined in JSSE Cipher Suite Names. It’s also possible to use regular expressions to quickly eliminate groups of ciphers.
If you want to enable only specific protocols or ciphers irrespective of hardened-mode
or above disabling options you can use tls-enabled-protocols
and tls-enabled-ciphers
- those two options take arrays as well and they will configure Tigase to use only those protocols or ciphers that are provided
(without support for regular expressions). Therefore if you configure Tigase with 'tls-enabled-protocols' = [ 'TLSv1.2' ]
then only TLSv1.2
will be supported by Tigase.
The last option that you may be interested in adjusting is ephemeral-key-size
- it follows Java’s configuration capabilities outlined in Customizing Size of Ephemeral Diffie-Hellman Keys. Tigase defaults Diffie-Hellman keys of 4096 bits.
Important
We try to provide the best default set of options therefore it’s recommendable to use defaults provided by Tigase. If you want to make your extremely secure (considering possible connectivity issues with installations that may be less
secure) then you should only adjust hardened-mode
setting (and switch it to strict
).