TLS/SSL encryption features configuration

Tigase allows adjusting the most important parameters used when establishing TLS connections - set of protocols and ciphers that will be used during negotiation of the connection. The single most important is hardened-mode - it’s the most general configuration and offers three-step adjustment of the settings - please see the section called “hardened-mode” for details. hardened-mode can be configured both via TDSL configuration file (either on root level or for sslContextContainer for particular connection managers) or on VHost level.

If you want to disable certain protocols or ciphers you can use two options: tls-disabled-protocols and tls-disabled-ciphers respectively. They allow, as name suggests, disabling certain items from default sets. They both takes an array of strings, which ten be removed from the lists.

Let’s say you’d like to remove support for SSL, SSLv2 and SSLv3 protocols. You should simply use following configuraiton: 'tls-disabled-protocols' = ['SSL', 'SSLv2', 'SSLv3']. Complete list of protocols depends on particular Java version that you use - please refer to the documentation for details. For example for the default Java11 list you can check SSLContext Algorithms

tls-disabled-ciphers follows same format and uses names defined in JSSE Cipher Suite Names. It’s also possible to use regular expressions to quickly eliminate groups of ciphers.

If you want to enable only specific protocols or ciphers irrespective of hardened-mode or above disabling options you can use tls-enabled-protocols and tls-enabled-ciphers - those two options take arrays as well and they will configure Tigase to use only those protocols or ciphers that are provided (without support for regular expressions). Therefore if you configure Tigase with 'tls-enabled-protocols' = [ 'TLSv1.2' ] then only TLSv1.2 will be supported by Tigase.

The last option that you may be interested in adjusting is ephemeral-key-size - it follows Java’s configuration capabilities outlined in Customizing Size of Ephemeral Diffie-Hellman Keys. Tigase defaults Diffie-Hellman keys of 4096 bits.


We try to provide the best default set of options therefore it’s recommendable to use defaults provided by Tigase. If you want to make your extremely secure (considering possible connectivity issues with installations that may be less secure) then you should only adjust hardened-mode setting (and switch it to strict).