Configuring TLS Cipher List - dogtagpki/pki GitHub Wiki
This page describes the process to configure TLS cipher list during installation (see Two-Step Installation) or after installation.
To configure the TLS server cipher list, edit the cipher list in /var/lib/pki/pki-tomcat/conf/server.xml as needed (see Configuring Tomcat JSS):
<Server>
...
<Connector
...
tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+T
LS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_
SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_ED
E_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE
_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_W
ITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_
DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_D
HE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
...
/>
...
</Server>
Note: This procedure is only for CS subsystem to CS subsystem communication when acting as a client, it is not for CA subsystem to the LDAP server.
To configure TLS client cipher list for CA when communicating with KRA, edit /var/lib/pki/pki-tomcat/ca/conf/CS.cfg and update the clientCiphers parameter, e.g.:
ca.connector.KRA.clientCiphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
To configure TLS client cipher list for TPS when communicating with CA, KRA, and TKS, edit /var/lib/pki/pki-tomcat/tps/conf/CS.cfg and update the parameters below:
tps.connector.ca id.clientCiphers=... tps.connector.kra id.clientCiphers=... tps.connector.tks id.clientCiphers=...