SSL Client Ciphers

Which SSL ciphers to allow for client HTTPS/SSL connections when walking, or when performing Results Authorization during searches; i.e. for connections from the Search Appliance to remote https:// URLs. The default (if empty) is the OpenSSL default list for the current OpenSSL client (Texis) library. Some SSL ciphers may be known to be vulnerable, and administrators may wish to disable them via this setting.

The syntax is similar to the Apache HTTP server SSLCipherSuite setting: an optional SSL (default) or TLSv1.3 token indicating a cipher protocol group, followed (after spaces) by a colon-separated list of ciphers (OpenSSL format). Each line gives ciphers for a different protocol group, like a separate SSLCipherSuite Apache setting. The default (if unset/empty) is to use the OpenSSL defaults. A given cipher protocol group should not be specified more than once: combine all ciphers for a group into one line. Each distinct cipher protocol group's list is independent, and only applies to the indicated protocol(s) in the group.

Modifying - specifically, shortening - the cipher list is also a way to connect to long-handshake-intolerant HTTPS servers. These servers cannot handle an SSL ClientHello message longer than 255 bytes, and time out when receiving one (e.g. with Timeout completing SSL handshake ... errors). The default OpenSSL cipher list may cause the ClientHello message to exceed 255 bytes, triggering this intolerance in such servers. By setting a shorter cipher list, the ClientHello message can be shortened and the connection established. Disabling SNI via SSL Use SNI (here) is another way to shorten the ClientHello message.

Note that support for some (e.g. vulnerable) ciphers may end in some the Search Appliance versions, depending on the concurrent OpenSSL libs' support: e.g. 40- and 56-bit ciphers are no longer supported in OpenSSL 1.1.0 and later. Also, the list of ciphers classified as LOW, EXPORT etc. may change.

Due to increasing deprecation of weaker protocols and ciphers in OpenSSL for security, using SSLv3, TLSv1 and/or TLSv1.1 protocols when the Texis version is 8 or later may require - in addition to enabling SSLv3 via SSL Client Protocols (here) - reducing the security level in OpenSSL. This is accomplished by adding DEFAULT:@SECLEVEL=0 to the default (SSL) cipher list. Doing so is not recommended, nor is using such weaker protocols.

Note: To change the server-side SSL ciphers accepted by the Search Appliance - e.g. for admin, search, Dataload etc. - see HTTPS/SSL Ciphers under System Wide Settings.


Copyright © Thunderstone Software     Last updated: Nov 8 2024
Copyright © 2024 Thunderstone Software LLC. All rights reserved.