Sidebar

How do I disable different TLS levels in Qvera Interface Engine?

0 votes
431 views
asked Mar 23, 2020 by brandon-w-8204 (33,270 points)
Is there a way to completely disable different TLS protocols or cipher suites in QIE so that they are not used anywhere?

1 Answer

0 votes

All Connections (both inbound and outbound)

To completely disable the disable a TLS protocol or Cipher suite in QIE you have to modify the java.security file for Java.  Making these changes will effect any application using this install of java:

To disable a TLS protocol such as TLSv1 or TLSv1.1 do the following:
1. Edit the java.security file found in the java home/lib/security folder.  Example: C:\program files\java\lib\security
2. Find the line ' jdk.tls.disabledAlgorithms'
3. Add the desired protocol to the line (comma separated), such as TLSv1 or TLSv1.1
4. Stop QIE from the service properties and restart the service. 

To force Java to reject certificates with a weaker keySize, you can add 'RSA keySize < #' to the same line above.  With the RSA keySize option, java will reject any certificates that have a keySize less than specified.


Outbound connections only

To force only the outbound client connection to use a specific protocol, but allow for other protocols on the inbound connections, you can add the following java option to your QIE service:
-Djdk.tls.client.protocols=TLSv1.2
This option will force all outbound connections to only use TLSv1.2, but without making the changes to the java.security file, then inbound listeners would be allowed to use TLSv1.0 and TLSv1.1.


Inbound connections on HTTPS only

Finally, there are some java options available to handle only the inbound HTTPS connections.  If you have an HTTPS receiver and you want to restrict just this one endpoint to a specific protocol, then you can add the following java option to your QIE service:
-Dqie.excludeProtocols.{port_number}=TLSv1.0,TLSv1.1
You will need to replace the {port_number} with the actuall port number used on the HTTPS receiver, and then only TLSv1.2 connections would be alled to connect to this specific HTTPS endpoint regardless of what is specified in the java.security file.


These three options allow you to decide if you are going to restrict a protocol inside of java completely, or just restrict outbound client connections or inbound server connections.

answered Mar 23, 2020 by brandon-w-8204 (33,270 points)
...