5.3 Understanding the OpenText Cloud Bridge Agent TLS Security Policy

This section provides reference information for the OpenText Cloud Bridge Agent Transport Layer Security (TLS) policy. TLS is the successor to Secure Sockets Layer (SSL).

5.3.1 TLS Settings

Oracle® Java® ships with a security policy codified in the java.security policy file. It is typically located in the conf/security folder relative to $JAVA_HOME. OpenText Cloud Bridge containers are based upon the CAFapi Java 11 image. The CAFapi Java 11 container image disables weak TLS cipher suites in the disableWeakTlsAlgorithms.patch patch file. This is an excellent, if strict, security posture and meets the OpenText security requirements.

5.3.2 Terminology

This section uses the following terms:

  • RSA (Rivest Shamir Adleman)

  • ECC (Elliptic Curve Cryptography)

  • Symmetric Cryptography (for example, AES)

  • Asymmetric Cryptography (Public/Private Key pair)

  • DH & ECDH (Diffie-Hellman & Elliptic-Curve Diffie-Hellman)

  • Hash Function (for example, SHA1, SHA256, SHA512)

  • CA (Certificate Authority)

  • Host Certificate (Certificate used for a web server)

5.3.3 Disabled Algorithms

Ideally, we would like to restrict communication to TLS 1.3. However, we must also make it possible to use the TLS 1.2 protocol safely, which causes us to exclude cipher suites that are available but should not be used.

Highlights

  1. Remove the TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 cipher from the list.

  2. Increase RSA key size: “RSA keySize < 2048”

Key Lengths

  • RSA less than 2048-bit

  • Diffie-Hellman less than 2048-bit

  • Elliptic Curve less than 224-bit

The following algorithms are disallowed and will not successfully negotiate the "handshake" process:

  • Camellia 128-bit with Cipher Block Chaining (CBC)

  • AES 256-bit with CBC

  • AES 128-bit with CBC

  • TLS DH DSS with AES 256-bit GCM SHA384 (under translation...)

5.3.4 Oracle® Java® Security Policy

The following algorithms are disallowed:

TLSv1.1
TLSv1
SSLv3
SSLv2
DHE_DSS
RSA_EXPORT
DHE_DSS_EXPORT
DHE_RSA_EXPORT
DH_DSS_EXPORT
DH_RSA_EXPORT
DH_anon
ECDH_anon
DH_RSA
DH_DSS
ECDH
AES_256_CBC
AES_128_CBC
3DES_EDE_CBC
DES_CBC
RC4_40
RC4_128
DES40_CBC
RC2
HmacMD5
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

5.3.5 Additional Resources

For more information about configuring secure communication, see the following resources:

  • The ROBOT Attack website

  • Testing for Weak SSL TLS Ciphers Insufficient Transport Layer Protection on the OWASP website

  • Security/Server Side TLS on the Mozilla wiki page