Objective
By default, the Contrast Server HTTPS connector enables all supported TLS protocols and a wide range of cipher suites, but it is likely that administrators will wish to limit the available protocols and ciphers to suit corporate policy. This article details the steps required to put those changes into effect.
Process
Change supported protocols
To change the HTTPS connector's supported protocols, edit the $CONTRAST_HOME/data/conf/server.properties file to add an entry similar to the following example (which enables only TLSv1.2 and SSLv2Hello - the latter being needed by some clients to complete the handshake process):
https.protocols=TLSv1.2,SSLv2Hello
Change supported cipher suites
To modify the list of supported cipher suites, edit the $CONTRAST_HOME/data/conf/server.properties file to add an entry similar to the following example:
https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Change supported (EC)DH key sizes
To modify the list of supported (EC)DH key sizes, edit the $CONTRAST_HOME/bin/contrast-server.vmoptions file to add an entry similar to the following example (which forces key sizes to a minimum of 2048 bytes for DHE_RSA, DHE_DSS, and DH_anon-based cipher suites in the JSSE Oracle provider):
-Djdk.tls.ephemeralDHKeySize=2048