KBEC-00408 - How to restrict a version of TLS with CloudBees CD (CloudBees Flow)

Article ID:360033187571
1 minute readKnowledge base
On this page

Summary

This article describes how to disable specific versions of TLS support to only use a more updated version. This article is written with an example on disabling TLSv1, TLSv1.1 support and accept all requests using only TLSv1.2, but should be able to be used as reference for similar version patterns in the future.

Solution

Users interact with the CloudBees CD (CloudBees Flow) (Commander) server through a web interface. The Electric CloudBees CD (CloudBees Flow) web interface is hosted in an Apache web server, which listens on the 80 (unsecure) and 443 (secure) ports and Commander server is a Jetty-based application server that uses Jetty (a Java HTTP server), which listens on the 8000 (unsecure) and 8443 (secure) ports. Apache web-server interacts with Jetty through HTTP and HTTPS requests.

To accept all request using only TLSv1.2 in Apache HTTPS port 443 and Jetty HTTPS port 8443 use the following steps. Before making those changes we highly recommend to make backups of the files you are going to modify.

Changes for Apache:

In /opt/electriccloud/electriccommander/apache/conf/ssl.conf change:

SSLProtocol All -SSLv2 -SSLv3

to:

SSLProtocol TLSv1.2

Restart Apache server

Changes to Jetty :

In /opt/electriccloud/electriccommander/jre/lib/security/java.security change:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
    EC keySize < 224

to

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
    EC keySize < 224, TLSv1, TLSv1.1

Changes to the server:

In /opt/electriccloud/electriccommander/conf/wrapper.conf change:

wrapper.java.additional.310=-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"

to

wrapper.java.additional.310=-Djdk.tls.client.protocols="TLSv1.2"

and add the line

wrapper.java.additional.311=-Djdk.tls.disabledAlgorithms="SSLv3, RC4, DH keySize < 768, EC keySize < 224, TLSv1, TLSv1.1"

Restart commander server.

Verify that changes were applied by checking ssl handshake connection. You can do it using these commands

Check TLSv1.2 support on apache server

sudo -i

then

export LD_LIBRARY_PATH=/opt/electriccloud/electriccommander/lib && /opt/electriccloud/electriccommander/bin/openssl s_client -connect :443 -tls1_2 > connect_tls1_2_handshake_Web_server.txt 2>&1

Try to use Ctrl+C if the second command is not completing

Check TLSv1.2 support on commander server

sudo -i

then

export LD_LIBRARY_PATH=/opt/electriccloud/electriccommander/lib && /opt/electriccloud/electriccommander/bin/openssl s_client -connect :8443 -tls1_2 > connect_tls1_2_handshake_EF_server.txt 2>&1

Try to use Ctrl+C if the second command is not completing

Applies to

OS versions: Linux