unity-idm-discuss

[Unity-idm-discuss] Disable TLS version

[Sander A. <sa....@fz...>]

Hi Krzysztof,

is it possible to disable specific TLS versions (1.0 and 1.1)? I found
only the unityServer.core.httpServer.disabledCipherSuites parameter we
already use for a list of outdated cipher suits.

Cheers,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Disable TLS version

[Marcus H. <ha...@ki...>]

Are you referring to the "B" from here:
https://www.ssllabs.com/ssltest/analyze.html?d=login.helmholtz-data-federation.de

M.

On 04/01/20 09:57, Sander Apweiler wrote:
> Hi Krzysztof,
> 
> is it possible to disable specific TLS versions (1.0 and 1.1)? I found
> only the unityServer.core.httpServer.disabledCipherSuites parameter we
> already use for a list of outdated cipher suits.
> 
> Cheers,
> Sander
> -- 
> Federated Systems and Data
> Juelich Supercomputing Centre
> 
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
> 
> ----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------




> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss


-- 
Marcus.

Re: [Unity-idm-discuss] Disable TLS version

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 01.04.2020 o 09:57, Sander Apweiler pisze:
> Hi Krzysztof,
>
> is it possible to disable specific TLS versions (1.0 and 1.1)? I found
> only the unityServer.core.httpServer.disabledCipherSuites parameter we
> already use for a list of outdated cipher suits.
>
Which Unity version and which Java version you use?

KB

Re: [Unity-idm-discuss] Disable TLS version

[Sander A. <sa....@fz...>]

Hi Krzysztof,

at the moment we are using different versions of unity: 2.8.2, 3.2.0
Java version: openjdk version "1.8.0_161"

Cheers,
Sander

On Wed, 2020-04-01 at 10:53 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 01.04.2020 o 09:57, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > is it possible to disable specific TLS versions (1.0 and 1.1)? I
> > found
> > only the unityServer.core.httpServer.disabledCipherSuites parameter
> > we
> > already use for a list of outdated cipher suits.
> > 
> Which Unity version and which Java version you use?
> 
> KB
> 
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Disable TLS version

[Krzysztof B. <kb...@un...>]

W dniu 01.04.2020 o 10:57, Sander Apweiler pisze:
> Hi Krzysztof,
>
> at the moment we are using different versions of unity: 2.8.2, 3.2.0
> Java version: openjdk version "1.8.0_161"
>

OK, so I after some checking (was not so easy as our instances are 
mostly behind proxies) it seems that it depends :-)

On quite a few things like JVM version, settings, ciphersuites etc. 
Jetty officially has documented that TLS 1.0 and 1.1 are disabled by 
default but it seems not to be the case always in practice.

So to simplify the landscape, in the version 3.2.2 there will be a new 
option allowing to disable specific protocol versions allowed by the 
Unity's HTTPS server, regardless of the JVM settings.

What is more in 3.3.0 the TLS 1.1 and 1.0 will be disabled *by default*.

Cheers,
Krzysztof