Supported TLS and SSL protocols and ciphers
HCL DevOps Deploy (Deploy) supports multiple SSL protocols and ciphers for communication among servers.
Deploy supports TLS v1.2, TLS v1.3, and SSL protocols. Deploy supports the SSL v3 protocol only if older agents require it.
- Limiting and disabling SSL and TLS protocols and ciphers is done at the JVM level rather than the application level.
- Support for TLS v1.0, TLS v1.1, and SSL v2Hello is deprecated.
Deploy uses SSL to communicate between the web UI and server and between the servers that use ActiveMQ. The SSL certificates that control both types of communication use the Java™ KeyStore (JKS) format. These certificates are generated by an RSA key with a 2048-bit length and are signed by a SHA256withRSA algorithm.
By default, the web UI connects on port 8443. The server certificate is in the opt/tomcat/conf/tomcat.keystore file. See Configuring SSL on Apache Tomcat and LDAP servers for more information.
The SSL ciphers you can use depend on which ciphers the Java crypto provider of the JRE supports on which you installed your Deploy server, relay and agent. For example, refer to a list of providers by Oracle/OpenJDK Java 11.
The following SSL cipher suites are enabled by default:
AES_256_GCM_SHA384 |
AES_128_GCM_SHA256 |
AES_128_CCM_8_SHA256 |
AES_128_CCM_SHA256 |
CHACHA20_POLY1305_SHA256 |
ECDH_ECDSA_WITH_AES_128_CBC_SHA |
ECDH_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDH_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDH_ECDSA_WITH_AES_256_CBC_SHA |
ECDH_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDH_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDH_RSA_WITH_AES_128_CBC_SHA |
ECDH_RSA_WITH_AES_128_CBC_SHA256 |
ECDH_RSA_WITH_AES_128_GCM_SHA256 |
ECDH_RSA_WITH_AES_256_CBC_SHA |
ECDH_RSA_WITH_AES_256_CBC_SHA384 |
ECDH_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE_RSA_WITH_AES_256_CBC_SHA |
ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
RSA_WITH_AES_128_CBC_SHA |
RSA_WITH_AES_128_CBC_SHA256 |
RSA_WITH_AES_128_GCM_SHA256 |
RSA_WITH_AES_256_CBC_SHA |
RSA_WITH_AES_256_CBC_SHA256 |
RSA_WITH_AES_256_GCM_SHA384 |
RSA_WITH_CAMELLIA_128_CBC_SHA |
RSA_WITH_CAMELLIA_128_CBC_SHA256 |
RSA_WITH_CAMELLIA_256_CBC_SHA |
RSA_WITH_CAMELLIA_256_CBC_SHA256 |
Overriding suggested cipher suites
Deploy suggests ciphers based on their availability and what the system identifies as secure. You can use system properties to add specific ciphers or prevent the system to add a cipher automatically to the default cipher list.
com.urbancode.commons.util.ssl.sslContextEnabledCiphers
com.urbancode.commons.util.ssl.sslContextEnabledCiphers=cipher1,cipher2
com.urbancode.commons.util.ssl.sslContextIgnoreSuggestedCiphers=true