How do I limit the supported secure protocols and cipher suites in IDM 5.x, 6.x and OpenIDM 4.x?
The purpose of this article is to provide information on disabling specific secure protocols and cipher suites in IDM/OpenIDM. You may need to do this to remove an insecure protocol or address findings from a vulnerability scan.
Overview
Changes have been made in IDM 7 which mean only TLSv1.2 and TLSv1.3 are enabled by default. Additionally, the process for enabling and disabling protocols and ciphers has changed. You should refer to the documentation for IDM 7 and later: Installation Guide › Enable and Disable Secure Protocols and Cipher Suites.
IDM 5.x and 6.x
By default, Jetty® supports a number of protocols and cipher suites.
To review what protocols and ciphers are supported, you can use tools such as sslscan or sslyze. These are third-party tools that we suggest can be used for information purposes but are not supported by ForgeRock.
OpenIDM 4.x
You can see what protocols are currently supported in the Enabled Protocols output of the openidm0.log.n log at server startup, for example:
INFO: Enabled Protocols [SSLv2Hello, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]Enabled protocols appear before "of", in the list of all protocols.
To see what cipher suites are currently supported, set the log level to FINE (change the ".level=INFO" to ".level=FINE" in the logging.properties file). The openidm0.log.n log will show a list of Enabled Ciphers when restarting the server, for example (the log snippet has been truncated due to its size):
FINE: Enabled Ciphers [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ... TLS_EMPTY_RENEGOTIATION_INFO_SCSV] of [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256 ... TLS_KRB5_WITH_DES_CBC_MD5]Disabling secure protocols
The SSLv3 protocol is disabled by default because it is considered an obsolete and insecure protocol: This POODLE Bites: Exploiting The SSL 3.0 Fallback.
Support for the TLSv1.0 protocol has been removed in IDM 6; see the following PDF: Migrating from SSL and Early TLS from the PCI Security Standards Council for further information. Support for the TLSv1.1 protocol is deprecated in IDM 6 (and removed in IDM 7) due to a potential vulnerability: see CVE-2011-3389 from the National Vulnerability Database from the US National Institute of Standards and Technology for further information.
You can exclude protocols as follows:
- Add any protocols you want to exclude to the ExcludeProtocols sections of sslContextFactory and sslContextFactoryMutualAuth in the jetty.xml file (located in the /path/to/idm/conf directory).
- Restart IDM/OpenIDM to apply these changes.
Example
The following example demonstrates excluding the TLSv1 and TLSv1.1 protocols in addition to the SSLv3 protocol:
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> ... <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>TLSv1</Item> <Item>TLSv1.1</Item> </Array> </Set> ... </New> <New id="sslContextFactoryMutualAuth" class="org.eclipse.jetty.util.ssl.SslContextFactory"> ... <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>TLSv1</Item> <Item>TLSv1.1</Item> </Array> ... </Set> ... </New>Disabling cipher suites
You can exclude cipher suites as follows:
- Add any cipher suites you want to exclude to the <Array id="excludedCipherSuites" type="java.lang.String"> section in the jetty.xml file (located in the /path/to/idm/conf directory). There are numerous excluded cipher suites by default.
- Restart IDM/OpenIDM to apply these changes.
Example
The following example demonstrates excluding the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite:
<Array id="excludedCipherSuites" type="java.lang.String"> <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item> <!-- EXP-RC4-MD5 --> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item> <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item> <!-- EXP-EDH-RSA-DES-CBC-SHA or EXP-DHE-RSA-DES-CBC-SHA --> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> ... </Array>See Also
Administering and configuring IDM/OpenIDM
Integrator's Guide › Disabling and Enabling Secure Protocols
Related Training
N/A
Related Issue Tracker IDs
N/A