Skip to content
This repository has been archived by the owner on Oct 27, 2021. It is now read-only.

Commit

Permalink
Add section about how to disable TLS algorithms/ciphers
Browse files Browse the repository at this point in the history
  • Loading branch information
Jochen Schalanda committed Jun 2, 2016
1 parent b643851 commit 3d6adce
Showing 1 changed file with 34 additions and 2 deletions.
36 changes: 34 additions & 2 deletions pages/configuring_webif.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,9 +81,11 @@ Writing the web interface as a single-page application is a challenging task. We
Please take into account that you need to enable JavaScript in order to use Graylog web interface.

.. _ssl_setup:
.. _tls_setup:
.. _https_setup:

SSL Setup
=========
HTTPS Setup
===========

We highly recommend securing your Graylog installation using SSL/TLS to make sure that no sensitive data is sent over the wire in plain text. To make this work, you need to do two things:

Expand Down Expand Up @@ -298,6 +300,36 @@ PKCS#8 encrypted private key::
-----END ENCRYPTED PRIVATE KEY-----


Disabling specific TLS ciphers and algorithms
---------------------------------------------

Since `Java 7u76 <http://www.oracle.com/technetwork/java/javase/7u76-relnotes-2389087.html>`_ it is possible to disable specific TLS algorithms and ciphers for secure connections.

In order to disable specific TLS algorithms and ciphers, you need to provide a properties file with a list of disabled algorithms and ciphers. Take a look at the example `security.properties <https://github.com/Graylog2/graylog2-server/blob/2.0/misc/security.properties>`__ in the Graylog source repository.

For example, if you want to disable all algorithms except for TLS 1.2, the properties file has to contain the following line::

jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1

If additionally you want to disable DSA/RSA key sizes lower than 2048 bits and EC key sizes lower than 160 bits, the properties file has to contain the following line::

jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1, EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048

To load the properties file into a JVM, you have to pass it to Java using the ``java.security.properties`` system property::

java -Djava.security.properties=/path/to/security.properties -jar /path/to/graylog.jar server

Most start and init scripts for Graylog provide a ``JAVA_OPTS`` variable which can be used to pass the ``java.security.properties`` system property.

Further reading
^^^^^^^^^^^^^^^

* https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
* http://www.oracle.com/technetwork/java/javase/7u76-relnotes-2389087.html
* http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7133344
* https://tersesystems.com/2014/01/13/fixing-the-most-dangerous-code-in-the-world/


Making the web interface work with load balancers/proxies
=========================================================

Expand Down

1 comment on commit 3d6adce

@joschi
Copy link
Contributor

@joschi joschi commented on 3d6adce Jun 2, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refs Graylog2/graylog2-server#2051

Please sign in to comment.