Secure protocol configuration
The Jetty configuration for inbound connections to IDM supports a number of protocols and cipher suites.
Enabled protocols are explicitly listed in the includeProtocols list in the conf/jetty.xml file. Only TLSv1.2 and TLSv1.3 are enabled by default:
...
<Array id= "includedProtocols" type="java.lang.String">
<!-- Only support TLS v1.2 and v1.3 -->
<Item>TLSv1.2</Item>
<Item>TLSv1.3</Item>
</Array>
...To disable a particular protocol, remove it from the includedProtocols list. To add support for a weaker protocol, add it to the list. For example:
...
<Array id= "includedProtocols" type="java.lang.String">
<Item>TLSv1.2</Item>
<Item>TLSv1.3</Item>
<Item>SSLv3.0</Item>
</Array>
...|
It is highly recommended that you do not enable weaker protocols such as SSL, and TLS versions prior to 1.2. These protocols use outdated algorithms and are generally considered insecure. |
Enabled cipher suites for each protocol are listed in the includedCipherSuites list in conf/jetty.xml:
...
<Array id="includedCipherSuites" type="java.lang.String">
<!-- TLS 1.3 cipher suites -->
<Item>TLS_AES_128_GCM_SHA256</Item>
<Item>TLS_AES_256_GCM_SHA384</Item>
<Item>TLS_CHACHA20_POLY1305_SHA256</Item>
<!-- TLS 1.2 cipher suites -->
<Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
</Array>
...To add support for additional cipher suites, add them as <Item>s in this list.