RapidIdentity Product Guide

SSL/TLS Profile

The SSL/TLS Profile menu item defines which SSL Profile should be used with RapidIdentity. Selecting this option opens a prompt to edit the profile.

The end result is that the rapididentity.properties tomcat.sslProfile value is updated.

Beginning in RapidIdentity version 2020.1.0, the following changes will apply to the Tomcat properties in rapididentity.properties:

  • tomcat.sslCipherBlacklist has been deprecated.

  • tomcat.sslProtocols can now include TLSv1.2, and TLSv1.1 ONLY.

    • By default, RapidIdentity will use the list TLSv1.2 for version 2020.1.0. In order to use TLSv1.1 with 2020.1, you will need to provide your own cipher suites.

  • tomcat.sslCipherWhitelist has been added. This allows you to specify a list of TLS cipher suites to enable. If this list is provided, it will override the default list.

    Note

    The whitelist will be a comma-separated list, just like the blacklist was. Examples:

    tomcat.sslProtocols=TLSv1.2

    tomcat.sslCipherWhitelist=TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    RapidIdentity will use a secure set of cipher suites by default, including:

    • For TLSv1.2:

      Note

      ONLY included if TLSv1.2 is enabled and there is no whitelist - default behavior

      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

      • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

      • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    • For TLSv1.1:

      Note

      ONLY if TLSv1.1 is enabled and there is no whitelist - default behavior, and ONLY included in later builds of 2019.12.15.x and 2020.x.

      TLSv1.1 is not recommended.

      • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

      • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

      • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

      • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

In this section: