. . . . . "%META:TOPICPARENT{name=\"VirtTipsAndTricksGuide\"}%\n\n---+ Managing SSL Protocols and Ciphers used with Virtuoso\n\n%TOC%\n\n---++ What \n\nAs of Virtuoso 7.2, SSL protocol and cipher support is now configurable for connections from all HTTP, ODBC, JDBC, ADO.NET, and OLE-DB clients.\n\n---++ Why\n\nDefault binding to OpenSSL can expose Virtuoso instances to version- and cipher-specific SSL vulnerabilities (e.g., recent [[http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability][Poodle exploit]]). Being able to scope Virtuoso's use of SSL to one or more specific versions provides instance administrators better protection against a moving target.\n\n---++ How\n\n---+++ Basic SSL Protocol Configuration\n\nBasic configuration is through the SSL_Protocols values in the [Parameters] and [HTTP] sections of the Virtuoso INI file. These are comma+space-separated (\", \") value lists. Including a protocol name explicitly enables it; preceding the protocol name with an exclamation point (\"!\") explicitly disables it.\n\n---++++ Supported SSL Protocols and INI keyword values\n\n| *SSL/TLS Version* | *Value for INI file* | *Notes* |\n| SSLv2 | — | Permanently disabled. |\n| SSLv3 | SSLv3 | Disabled by default. To our knowledge, only required by IE6/Windows XP clients. |\n| TLSv1 | TLSv1 | Enabled by default. |\n| TLSv1.1 | TLSv1.1 | Enabled by default, supported if available in local openssl library. |\n| TLSv1.2 | TLSv1.2 | Enabled by default, supported if available in local openssl library. |\n\n---+++ Advanced SSL Cipher List Configuration\n\nThe SSL_Cipher_List values in the [Parameters] and [HTTP] stanzas of the Virtuoso INI file may also be adjusted, to disable particular ciphers when there are security reports about some new attack that breaks them. These are colon-separated (\":\") value lists. \n\nIncluding a protocol name or groupname explicitly enables it; preceding the protocol name with an exclamation point (\"!\") explicitly disables it. You can review the ciphers supported by your local OpenSSL library with the command \n\nopenssl ciphers -v ALL\n\n\nFor instance, we recommend explicitly forbidding anonymous cipher suites (i.e., ones that don?t use certificates, and are therefore susceptible to man-in-the-middle attacks) using !aNULL. \n\nWe also recommend including @STRENGTH at the end of the list, so that OpenSSL will prioritize the enabled ciphers by key length, regardless of the list order. \n\n---+++ Recommended Settings\n\nThe sample settings below provide a reasonable tradeoff of security versus flexibility. As shown, we have enabled SSLv3 on the HTTPS ports for IE6 users, but left this disabled on the SQL data port.\n\n[Parameters]\nSSL_Protocols\t= TLSv1, TLSv1.1, TLSv1.2\nSSL_Cipher_List = HIGH:!aNULL:!eNULL:!RC4:!DES:!MD5:!PSK:!SRP:!KRB5:!SSLv2:!EXP:!MEDIUM:!LOW:!DES-CBC-SHA:@STRENGTH\n\n[HTTP]\nSSL_Protocols\t= SSLv3, TLSv1, TLSv1.1, TLSv1.2\nSSL_Cipher_List = HIGH:!aNULL:!eNULL:!RC4:!DES:!MD5:!PSK:!SRP:!KRB5:!SSLv2:!EXP:!MEDIUM:!LOW:!DES-CBC-SHA:@STRENGTH\n\n\n---++ Related\n\n * [[http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability][SSL 3.0 and Poodle Vulnerability]]\n * [[VirtTipsAndTricksGuide][Virtuoso Tips and Tricks Collection]]\n" . . "VirtTipsAndTricksManageSSLProtocols" . . "VirtTipsAndTricksManageSSLProtocols" . . . . . "eef7140502e0f7ea6c31c03f76a71973" . . "2017-06-13T05:44:37.227629"^^ . "2017-06-13T05:44:37.227629"^^ . "2017-06-13T05:44:37Z" . . . "2017-06-13T05:44:37Z" . . "VirtTipsAndTricksManageSSLProtocols" .