TLS check
The TLS check checks whether only algorithms that are considered secure are permitted in the Java security configuration for TLS. The check is based on Mozilla’s recommendations.
Insecure algorithms in TLS cipher suites are problematic because they jeopardize the confidentiality and integrity of the transmitted data. Attackers can exploit known cryptographic weaknesses to decrypt or manipulate encrypted communication.
Configuration of the check
The Parameters mozillaTlsRecommendationType can be used to configure how strict the check is with regard to the permitted algorithms.
The profiles modern, intermediate and old are available.
intermediate is configured by default.
| Profile | Description |
|---|---|
|
Only the latest algorithms, cypher suites and TLS 1.3 are permitted. These may not be supported by all applications and clients. |
|
Algorithms and cypher suites that are considered secure and are supported by most applications and clients are permitted. |
|
Algorithms and cypher suites are also permitted that are compatible with older applications and clients, but may no longer be considered completely secure. The use of this profile is not recommended. |
The setting can be adjusted in the configuration file KARAF/etc/de.virtimo.bpc.core.security.checks.cfg.
The line is adjusted accordingly here:
KARAF/etc/de.virtimo.bpc.core.security.checks.cfg# TlsCheck Configuration
mozillaTlsRecommendationType=intermediateProcedure for securing
In a fresh installation, the BPC is already configured so that it fulfils the intermediate profile.
Individual cypher suites and TLS algorithms can be deactivated in the file custom.java.security in the BPC installation directory.
The algorithms that are criticized in the check result must be entered here.
Further information can be found in Java Security Settings.
