This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Can I use only TLSv1.2 for the incoming SSL connections to Edge having nginx router ?

Posted on 12-15-2016 10:04 PM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

We want to use only the TLS1.2 protocol for all the incoming SSL connections from our clients to nginx router and EdgeUI.

We are on Private Cloud version 4.16.01.00. Is it possible by changing the config on nginx router ? If yes, can you please provide the instructions to do this ?

Solved Solved
0 2 712
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

Yes we can change the SSL connections to the router/edge to only allow TLS1.2 protocol.

This is controlled by the parameter ssl_protocols whose default values are set as follows in /<inst-root>/nginx/conf.d/0-default.conf file: 

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

You need to update the parameter ssl_protocols in 0-default.conf file. However, with 16.01 and higher we should not modify this file directly. Please follow the below steps to modify the parameter to allow only TLSv1.2:

  • On the router machine, create the below file (if it doesn't exist already) 
  • /<inst_root>/apigee/customer/application/router.properties

  • Add the below property in the above file
conf_load_balancing_load.balancing.driver.server.ssl.protocols=TLSv1.2
  • Restart the nginx router
/<inst_root>/apigee/apigee-service/bin/apigee-service edge-router restart
  • Verify if ssl_protocols is updated in the file /<inst-root>/nginx/conf.d/0-default.conf
  • The new value for ssl_protocols should be 
ssl_protocols TLSv1.2;

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

Yes we can change the SSL connections to the router/edge to only allow TLS1.2 protocol.

This is controlled by the parameter ssl_protocols whose default values are set as follows in /<inst-root>/nginx/conf.d/0-default.conf file: 

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

You need to update the parameter ssl_protocols in 0-default.conf file. However, with 16.01 and higher we should not modify this file directly. Please follow the below steps to modify the parameter to allow only TLSv1.2:

  • On the router machine, create the below file (if it doesn't exist already) 
  • /<inst_root>/apigee/customer/application/router.properties

  • Add the below property in the above file
conf_load_balancing_load.balancing.driver.server.ssl.protocols=TLSv1.2
  • Restart the nginx router
/<inst_root>/apigee/apigee-service/bin/apigee-service edge-router restart
  • Verify if ssl_protocols is updated in the file /<inst-root>/nginx/conf.d/0-default.conf
  • The new value for ssl_protocols should be 
ssl_protocols TLSv1.2;
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gaurav_bhandari
New Member
Reply posted on --/--/---- --:-- AM

Hi @AMAR DEVEGOWDA,

For 2way TLS, you should also update the VHOST configuration.

For 2way, if the TLS offloading is on Load balancer then you can skip it. But if the offloading is on ROUTER, then you must also update the VHOST.

"{

<Protocols><Protocol>TLSv1.1</Protocol><Protocol>TLSv1.2</Protocol></Protocols>

"

Thanks and Regards,

Gaurav Bhandari

Jump to Solution
0 Likes