SSL Protocol Changes

In release 11.2 of the Content Acquisition System (CAS), the cryptographic protocols TLSv1.1 and TLSv1.2 are enabled by default.

These protocols provide protection against serious security threats that have emerged recently. The protocols SSL 3.0 and TLS 1.0 do not provide similar protection and are disabled by default. Note that if you enable SSL 3.0 and TLS 1.0 -- for compatibility or any other reason -- you thereby make your application vulnerable to the serious threats against which TLSv1.1 and TLSv1.2 provide protection.

To enable the TLSv1.1 and TLSv1.2 protocols, uncomment the TLSSocketConnector file in CAS_ROOT/workspace/conf/jetty.xml: 

<Call name="addConnector">
      <Arg>
          <New class="com.endeca.itl.jetty.TLSSocketConnector">
            <Set name="Port"><SystemProperty name="com.endeca.cas.ssl.port"/></Set>
            <Set name="maxIdleTime">600000</Set>
            <Set name="keystore"><SystemProperty name="javax.net.ssl.keyStore"/></Set>
            <Set name="keyPassword"><SystemProperty name="javax.net.ssl.keyStorePassword"/></Set>
            <Set name="truststore"><SystemProperty name="javax.net.ssl.trustStore"/></Set>
            <Set name="trustPassword"><SystemProperty name="javax.net.ssl.trustStorePassword"/></Set>
            <Set name="needClientAuth">true</Set>
            <Set name="IncludeProtocols">
                <Array type="java.lang.String">
                    <Item>TLSv1.1</Item>
                    <Item>TLSv1.2</Item>
                </Array>
            </Set>
          </New>
        </Arg>
    </Call>

Copyright © Legal Notices