Configuring TLS Cipher List - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to configure TLS cipher list during installation (see Two-Step Installation) or after installation.

Configuring TLS Server Cipher List

To configure the TLS server cipher list, edit the cipher list in /var/lib/pki/pki-tomcat/conf/server.xml as needed (see Configuring Tomcat JSS):

<Server>
    ...
    <Connector
           ...
           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+T
LS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_
SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_ED
E_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE
_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_W
ITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_
DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_D
HE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
            ...
            />
    ...
</Server>

Configuring TLS Client Cipher List

Note: This procedure is only for CS subsystem to CS subsystem communication when acting as a client, it is not for CA subsystem to the LDAP server.

To configure TLS client cipher list for CA when communicating with KRA, edit /var/lib/pki/pki-tomcat/ca/conf/CS.cfg and update the clientCiphers parameter, e.g.:

ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

To configure TLS client cipher list for TPS when communicating with CA, KRA, and TKS, edit /var/lib/pki/pki-tomcat/tps/conf/CS.cfg and update the parameters below:

tps.connector.ca id.clientCiphers=...
tps.connector.kra id.clientCiphers=...
tps.connector.tks id.clientCiphers=...
⚠️ **GitHub.com Fallback** ⚠️