Web Server: OpenSSL Cipher Suite

From Resin 4.0 Wiki

(Difference between revisions)
Jump to: navigation, search
 
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
#REDIRECT [[Resin Health System:Tracking And Reporting Anomalies]]
+
{{WebServer}} {{Cookbook}} {{Security}} {{Config}}
 +
 
 +
Modifying OpenSSL to specify allowed cipher suites and protocols can be done in the Resin application server configuration file, resin.xml, in the <openssl> block.
 +
 
 +
=== conf/resin.xml ===
 +
 
 +
<pre>
 +
<resin xmlns="http://caucho.com/ns/resin">
 +
...
 +
<cluster id="web-tier">
 +
<server id="...">
 +
 
 +
<http port="443">
 +
  ...
 +
  <openssl>
 +
    <certificate-key-file>keys/your_domain.key</certificate-key-file>
 +
    <certificate-file>keys/your_domain.crt</certificate-file>       
 +
    <certificate-chain-file>keys/chain.txt</certificate-chain-file>
 +
    <password>test123</password>
 +
    <cipher-suite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>
 +
    <protocol>-all +sslv3 +tlsv1</protocol> 
 +
  </openssl>
 +
</http>
 +
 
 +
</server>
 +
 
 +
...
 +
</pre>
 +
 
 +
Typically this is required for website PCI compliance.
 +
 
 +
Refer to the [http://caucho.com/resin-4.0/admin/security-ssl.xtp Resin SSL documentation] for more information.

Latest revision as of 00:00, 28 January 2012

Web-48.pngCookbook-48.pngPadlock-48.pngGears-48.png

Modifying OpenSSL to specify allowed cipher suites and protocols can be done in the Resin application server configuration file, resin.xml, in the <openssl> block.

conf/resin.xml

<resin xmlns="http://caucho.com/ns/resin">
...
<cluster id="web-tier">
<server id="...">

<http port="443">
  ...
  <openssl>
    <certificate-key-file>keys/your_domain.key</certificate-key-file>
    <certificate-file>keys/your_domain.crt</certificate-file>        
    <certificate-chain-file>keys/chain.txt</certificate-chain-file>
    <password>test123</password>
    <cipher-suite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>
    <protocol>-all +sslv3 +tlsv1</protocol>   
  </openssl>
</http>

</server>

...

Typically this is required for website PCI compliance.

Refer to the Resin SSL documentation for more information.

Personal tools
TOOLBOX
LANGUAGES