| Attributes | Values |
|---|
| type
| |
| Date Created
| |
| Date Modified
| |
| label
| - VirtTipsAndTricksManageSSLProtocols
|
| maker
| |
| Title
| - VirtTipsAndTricksManageSSLProtocols
|
| isDescribedUsing
| |
| has creator
| |
| content
| - %META:TOPICPARENT{name="VirtTipsAndTricksGuide"}%
---+ Managing SSL Protocols and Ciphers used with Virtuoso
%TOC%
---++ What
As of Virtuoso 7.2, SSL protocol and cipher support is now configurable for connections from all HTTP, ODBC, JDBC, ADO.NET, and OLE-DB clients.
---++ Why
Default binding to <nop>OpenSSL can expose Virtuoso instances to version- and cipher-specific SSL vulnerabilities (e.g., recent [[http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability][Poodle exploit]]). Being able to scope Virtuoso's use of SSL to one or more specific versions provides instance administrators better protection against a moving target.
---++ How
---+++ Basic SSL Protocol Configuration
Basic configuration is through the <b><code><nowiki>SSL_Protocols</nowiki></code></b> values in the <code>[Parameters]</code> and <code>[HTTP]</code> sections of the Virtuoso INI file. These are comma+space-separated ("<code>, </code>") value lists. Including a protocol name explicitly enables it; preceding the protocol name with an exclamation point ("<code>!</code>") explicitly disables it.
---++++ Supported SSL Protocols and INI keyword values
| *SSL/TLS Version* | *Value for INI file* | *Notes* |
| SSLv2 | <i>—</i> | Permanently disabled. |
| SSLv3 | <code>SSLv3</code> | Disabled by default. To our knowledge, only required by IE6/Windows XP clients. |
| TLSv1 | <code>TLSv1</code> | Enabled by default. |
| TLSv1.1 | <code>TLSv1.1</code> | Enabled by default, supported if available in local <code>openssl</code> library. |
| TLSv1.2 | <code>TLSv1.2</code> | Enabled by default, supported if available in local <code>openssl</code> library. |
---+++ Advanced SSL Cipher List Configuration
The <b><code><nowiki>SSL_Cipher_List</nowiki></code></b> values in the <code>[Parameters]</code> and <code>[HTTP]</code> stanzas of the Virtuoso INI file may also be adjusted, to disable particular ciphers when there are security reports about some new attack that breaks them. These are colon-separated ("<code>:</code>") value lists.
Including a protocol name or groupname explicitly enables it; preceding the protocol name with an exclamation point ("<code>!</code>") explicitly disables it. You can review the ciphers supported by your local <code><nowiki>OpenSSL</nowiki></code> library with the command
<verbatim>
openssl ciphers -v ALL
</verbatim>
For instance, we recommend explicitly forbidding anonymous cipher suites (i.e., ones that don?t use certificates, and are therefore susceptible to man-in-the-middle attacks) using <b><code>!aNULL</code></b>.
We also recommend including <b><code>@STRENGTH</code></b> at the end of the list, so that <nop>OpenSSL will prioritize the enabled ciphers by key length, regardless of the list order.
---+++ Recommended Settings
The sample settings below provide a reasonable tradeoff of security versus flexibility. As shown, we have enabled SSLv3 on the HTTPS ports for IE6 users, but left this disabled on the SQL data port.
<verbatim>
[Parameters]
SSL_Protocols = TLSv1, TLSv1.1, TLSv1.2
SSL_Cipher_List = HIGH:!aNULL:!eNULL:!RC4:!DES:!MD5:!PSK:!SRP:!KRB5:!SSLv2:!EXP:!MEDIUM:!LOW:!DES-CBC-SHA:@STRENGTH
[HTTP]
SSL_Protocols = SSLv3, TLSv1, TLSv1.1, TLSv1.2
SSL_Cipher_List = HIGH:!aNULL:!eNULL:!RC4:!DES:!MD5:!PSK:!SRP:!KRB5:!SSLv2:!EXP:!MEDIUM:!LOW:!DES-CBC-SHA:@STRENGTH
</verbatim>
---++ Related
* [[http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability][SSL 3.0 and Poodle Vulnerability]]
* [[VirtTipsAndTricksGuide][Virtuoso Tips and Tricks Collection]]
|
| id
| - eef7140502e0f7ea6c31c03f76a71973
|
| link
| |
| has container
| |
| http://rdfs.org/si...ices#has_services
| |
| atom:title
| - VirtTipsAndTricksManageSSLProtocols
|
| links to
| |
| atom:source
| |
| atom:author
| |
| atom:published
| |
| atom:updated
| |
| topic
| |
| is made
of | |
| is container of
of | |
| is link
of | |
| is http://rdfs.org/si...vices#services_of
of | |
| is links to
of | |
| is creator of
of | |
| is atom:entry
of | |
| is atom:contains
of | |
![[RDF Data]](/fct/images/sw-rdf-blue.png)
![[cxml]](/fct/images/cxml_doc.png)
![[csv]](/fct/images/csv_doc.png)
![[text]](/fct/images/ntriples_doc.png)
![[turtle]](/fct/images/n3turtle_doc.png)
![[ld+json]](/fct/images/jsonld_doc.png)
![[rdf+json]](/fct/images/json_doc.png)
![[rdf+xml]](/fct/images/xml_doc.png)
![[atom+xml]](/fct/images/atom_doc.png)
![[html]](/fct/images/html_doc.png)