Supported TLS and SSL protocols and ciphers

HCL DevOps Deploy (Deploy) supports multiple SSL protocols and ciphers for communication among servers.

Deploy supports TLS v1.2, TLS v1.3, and SSL protocols. Deploy supports the SSL v3 protocol only if older agents require it.

Note:
  • Limiting and disabling SSL and TLS protocols and ciphers is done at the JVM level rather than the application level.
  • Support for TLS v1.0, TLS v1.1, and SSL v2Hello is deprecated.

Deploy uses SSL to communicate between the web UI and server and between the servers that use ActiveMQ. The SSL certificates that control both types of communication use the Java KeyStore (JKS) format. These certificates are generated by an RSA key with a 2048-bit length and are signed by a SHA256withRSA algorithm.

By default, the web UI connects on port 8443. The server certificate is in the opt/tomcat/conf/tomcat.keystore file. See Configuring SSL on Apache Tomcat and LDAP servers for more information.

The SSL ciphers you can use depend on which ciphers the Java crypto provider of the JRE supports on which you installed your Deploy server, relay and agent. For example, refer to a list of providers by Oracle/OpenJDK Java 11.

The following SSL cipher suites are enabled by default:

Table 1. Default cipher suites
AES_256_GCM_SHA384
AES_128_GCM_SHA256
AES_128_CCM_8_SHA256
AES_128_CCM_SHA256
CHACHA20_POLY1305_SHA256
ECDH_ECDSA_WITH_AES_128_CBC_SHA
ECDH_ECDSA_WITH_AES_128_CBC_SHA256
ECDH_ECDSA_WITH_AES_128_GCM_SHA256
ECDH_ECDSA_WITH_AES_256_CBC_SHA
ECDH_ECDSA_WITH_AES_256_CBC_SHA384
ECDH_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDH_RSA_WITH_AES_128_CBC_SHA
ECDH_RSA_WITH_AES_128_CBC_SHA256
ECDH_RSA_WITH_AES_128_GCM_SHA256
ECDH_RSA_WITH_AES_256_CBC_SHA
ECDH_RSA_WITH_AES_256_CBC_SHA384
ECDH_RSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_256_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA256
RSA_WITH_CAMELLIA_256_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA256

Overriding suggested cipher suites

Deploy suggests ciphers based on their availability and what the system identifies as secure. You can use system properties to add specific ciphers or prevent the system to add a cipher automatically to the default cipher list.

To add a cipher to the list of default ciphers, add the following property to the system property:
com.urbancode.commons.util.ssl.sslContextEnabledCiphers
For example, you can add cipher1 and cipher2 to the default ciphers by adding the following property:
com.urbancode.commons.util.ssl.sslContextEnabledCiphers=cipher1,cipher2
To prevent the system from adding a cipher to the default cipher list, add the following property:
com.urbancode.commons.util.ssl.sslContextIgnoreSuggestedCiphers=true