App Connect

 View Only
Expand all | Collapse all

TLS connection and cipher suite

  • 1.  TLS connection and cipher suite

    Posted Thu February 24, 2022 01:11 PM

    Hi

    When a client establishes a TLS connection to an integration server in ACE12, does ACE use the server preference setting as default when selecting a cipher suite or client preference?

    And if not the server preference is there a way we can change the setting to use the server setting instead of client preference?

    Thanks



    ------------------------------
    Heidi-Lize Scholtz
    ------------------------------


  • 2.  RE: TLS connection and cipher suite

    Posted Tue March 01, 2022 03:54 PM
    ACE works the same way as all other SSL servers do.  When the client sends its ClientHello message, it includes a list of ciphers that it supports.  ACE goes through that list and selects one that overlaps with its own ciphers.  The lists are usually not ordered and order is not supposed to be significant.  ACE will try to use the strongest cipher available that both the client and server support.

    If you want, you can reduce the default server cipher list.  This will give fewer potential matches with the client cipher list.  I could even prevent connections if the client does not support a cipher.  To change the cipher list used by ACE, update the CipherSpec property on the listener.  You can provide a list of ciphers or types.  The default value is: !RC4+RSA:HIGH:+MEDIUM:+LOW.  You can find the ciphers available here.  ACE restricts traffic to TLSv1.2 or 1.3, so only those ciphers will apply.

    ------------------------------
    MATTHEW SEGALL
    ------------------------------