Hi all,
I want to only allow only TLS1.2 connections to my virtual hosts. Apigee allows this, and so I have included the following configuraton when creating my virtual hosts:
<Protocols><Protocol>TLSv1.2</Protocol></Protocols>
So in theory, connections using any other protocol, like TLSv1.1 or 1.0, should be rejected. However in practice, 1.1 and 1.0 are being accepted. I don't understand why.
If anyone has any ideas why, please let me know.
Regards,
Stewart
Solved! Go to Solution.
I just updated the doc on this issue. The way you set the protocol of the vhost is dependent on your version of Edge. 4.15.07, 4.16.01/05/09, and 4.17.01 use different procedures as shown here:
http://docs.apigee.com/api-services/content/creating-virtual-host#virtualhostconfiguration
Stephen
Have you included an <Enabled>true</Enabled> element ?
Can you show the full SSLInfo element please?
Hi Dino,
Thanks for the response. Yes, I have included the 'Enabled' element when creating my virtual host.
The virtual host configuration is included below. I think that should give you the detail needed. I have amended potentially sensitive values.
Regards,
Stewart
<VirtualHost name="sit-ext-vhost"> <HostAliases> <HostAlias>services.com</HostAlias> </HostAliases> <Interfaces/> <Port>9444</Port> <SSLInfo> <Enabled>true</Enabled> <ClientAuthEnabled>false</ClientAuthEnabled> <KeyStore>sit-ext- Keystore.jks</KeyStore> <KeyAlias>sit-ext-Keystore</KeyAlias> <Ciphers> <Cipher>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Cipher> <Cipher>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Cipher> </Ciphers> <Protocols> <Protocol>TLSv1.2</Protocol> </Protocols> </SSLInfo> </VirtualHost>
yep, ok... That looks good. It has SSL enabld, and it looks like the Ciphers and Protocols are set to your preferred settings.
and now, can you run this command?
curl -u XXX:XXX http://x.x.x.x:8080/v1/o/org/env/sit/keystores
This will list the keystores in your environment. The keystore name that you used in the VirtualHost definition has a name like "sit-ext-Keystore.jks". That looks like a filename. Normally we wouldn't use the .jks extension in the keystore name. But it's possible that you have done so. (Maybe totally benign).
I just wanna check through all the pieces.
After you verify the keystore by that name, let's verify its contents.
curl -u XXX:XXX http://x.x.x.x:8080/v1/o/org/env/sit/keystores/sit-ext-Keystore.jks
Can you send me the outputs from those commands?
Hi Dino,
Thanks for the feedback. Here is the output, for the two API calls:
[ "sit-ext-Keystore.jks", "sitKeystore.jks" ][root@grpapgfrts01 ~]
{ "certs" : [ "sit-ext-Keystore-cert" ], "keys" : [ "sit-ext-Keystore" ], "name" : "sit-ext-Keystore.jks" }
Intestestingly, I am in touch with apigee. They have suggested I use a router.properties file to do the config instead - this applies the TLS protocol restriction to the whole serverm rather than just the virtual host.
I'll let you know if I get a solution!
Thanks,
Stewart
That output looks reasonable. if you are speaking directly with Apigee Support I will let them sort it out with you!
I just updated the doc on this issue. The way you set the protocol of the vhost is dependent on your version of Edge. 4.15.07, 4.16.01/05/09, and 4.17.01 use different procedures as shown here:
http://docs.apigee.com/api-services/content/creating-virtual-host#virtualhostconfiguration
Stephen
Stephen, thanks - that link looks extremely relevant. I'll try things out and update the thread with the results.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |