How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I limit the supported secure protocols and cipher suites in IDM 5.x and 6.x?

Last updated Apr 8, 2021

The purpose of this article is to provide information on disabling specific secure protocols and cipher suites in IDM. You may need to do this to remove an insecure protocol or address findings from a vulnerability scan.


2 readers recommend this article

Overview

Changes have been made in IDM 7 which mean only TLSv1.2 and TLSv1.3 are enabled by default. Additionally, the process for enabling and disabling protocols and ciphers has changed. You should refer to the documentation for IDM 7 and later: Installation Guide › Enable and Disable Secure Protocols and Cipher Suites.

Pre-IDM 7

By default, Jetty® supports a number of protocols and cipher suites.

To review what protocols and ciphers are supported, you can use tools such as sslscan or sslyze. These are third-party tools that we suggest can be used for information purposes but are not supported by ForgeRock.

Disabling secure protocols

The SSLv3 protocol is disabled by default because it is considered an obsolete and insecure protocol: This POODLE Bites: Exploiting The SSL 3.0 Fallback.

Support for the TLSv1.0 protocol has been removed in IDM 6; see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council for further information. Support for the TLSv1.1 protocol is deprecated in IDM 6 (and removed in IDM 7) due to a potential vulnerability: see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology for further information.

You can exclude protocols as follows:

  1. Add any protocols you want to exclude to the ExcludeProtocols sections of sslContextFactory and sslContextFactoryMutualAuth in the jetty.xml file (located in the /path/to/idm/conf directory).
  2. Restart IDM to apply these changes.

Example

The following example demonstrates excluding the TLSv1 and TLSv1.1 protocols in addition to the SSLv3 protocol:

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> ...        <Set name="ExcludeProtocols">             <Array type="java.lang.String">                 <Item>SSLv3</Item>                 <Item>TLSv1</Item>                 <Item>TLSv1.1</Item>             </Array>         </Set> ...     </New>     <New id="sslContextFactoryMutualAuth" class="org.eclipse.jetty.util.ssl.SslContextFactory"> ...         <Set name="ExcludeProtocols">             <Array type="java.lang.String">                 <Item>SSLv3</Item>                 <Item>TLSv1</Item>                 <Item>TLSv1.1</Item>             </Array> ...         </Set> ...     </New>

Disabling cipher suites

You can exclude cipher suites as follows:

  1. Add any cipher suites you want to exclude to the <Array id="excludedCipherSuites" type="java.lang.String"> section in the jetty.xml file (located in the /path/to/idm/conf directory). There are numerous excluded cipher suites by default.
  2. Restart IDM to apply these changes.

Example

The following example demonstrates excluding the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite:

<Array id="excludedCipherSuites" type="java.lang.String">        <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>         <!-- EXP-RC4-MD5 -->         <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>         <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>         <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>         <!-- EXP-EDH-RSA-DES-CBC-SHA or EXP-DHE-RSA-DES-CBC-SHA -->         <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> ...     </Array>

See Also

Administering and configuring IDM

Security Advisories

Integrator's Guide › Disabling and Enabling Secure Protocols

Integrator's Guide › Setting the TLS Version

Jetty - The Definitive Reference

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.