How to Set Virtual Host TLS Protocol correctly

Not applicable

I am trying set Virtual host to allow connections from only TLS 1.2. I do this in below manner. However I notice that it allows both TLS 1.2 and TLS 1.1 and TLS 1.0.

JSON payload to upload the TLS protocol:

I tried to test using openssl as follows:

openssl s_client -connect myorg.apigee.net:443 -tls1

openssl s_client -connect myorg.apigee.net:443 -tls1_2

Ideally the first one should have failed, but it did not fail. Any thoughts on this?

{
  "name": "secure",
  "hostAliases": ["XXX.apigee.net"],
  "port": "443",
  "interfaces" : [ ],
  "retryOptions" : [ ],
  "listenOptions" : [ ],
  "sSLInfo": {
    "ciphers": [],
    "clientAuthEnabled": "false",
    "enabled": "true",
    "ignoreValidationErrors": false,
    "keyAlias": "freetrial",
    "keyStore": "ref://freetrialref",
      "protocols": [
      "TLSv1.2"
    ]
     } 
       }
  
}
Solved Solved
0 8 1,444
1 ACCEPTED SOLUTION

For Cloud and Private Cloud 4.17.01 and later, you use Properties to set SSL properties not SSLInfo.

The properties are "ssl_protocols" and "ssl_ciphers".

You can only set ssl_protocols in Private Cloud, Cloud restricts you to TLSv1.2.

See docs here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference

For example:

<VirtualHost name="secure">
    <HostAliases>
        <HostAlias>ORG-ENV.apigee.net</HostAlias>
    </HostAliases>
    <Interfaces/>
    <ListenOptions/>
    <Port>443</Port>
    <Properties/>
    <RetryOptions/>
    <SSLInfo>
        <ClientAuthEnabled>false</ClientAuthEnabled>
        <Enabled>true</Enabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <KeyAlias>freetrial</KeyAlias>
        <KeyStore>ref://freetrialref</KeyStore>
    </SSLInfo>
    <Properties>
        <!-- <Property name="ssl_protocols">TLSv1.2</Property> -->
        <Property name="ssl_ciphers">HIGH:!aNULL:!MD5:!DH+3DES:!kEDH</Property>
    </Properties>
</VirtualHost>

As JSON

{
    "hostAliases": [
        "ORG-ENV.apigee.net"
    ],
    "interfaces": [],
    "listenOptions": [],
    "name": "secure",
    "port": "443",
    "properties": {
        "property": [
            {
                "name": "ssl_ciphers",
                "value": "HIGH:!aNULL:!MD5:!DH+3DES:!kEDH"
            }
        ]
    },
    "retryOptions": [],
    "sSLInfo": {
        "ciphers": [],
        "clientAuthEnabled": "false",
        "enabled": "true",
        "ignoreValidationErrors": false,
        "keyAlias": "freetrial",
        "keyStore": "ref://freetrialref",
        "protocols": []
    }
}

View solution in original post

8 REPLIES 8

Hi Sriram,

Thanks for asking!

From payload parameters, i am assuming org is a free/trial org?

Virtual host creation and modification is available to paid accounts only in Edge Cloud. The user creating the virtual host must be in the role of organization administrator, or in a custom role with permissions to modify a virtual host. Free and trial accounts cannot create or modify virtual hosts and are limited to the virtual hosts created for them at Edge registration time.

On a different note, Apigee is also working on deprecating support for TLS 1.0 and TLS 1.1 for all HTTPS connections to Apigee Edge public cloud. Announcement is available here. Please feel free to subscribe.

Regards

Vidheer.

P.S: Please accept this answer, if it addresses your query 🙂

Hi Vidheer - No, this is not a free trail org. I have an edge pro license. Also I have org admin access. In fact I am able to create new vhosts and update them. All works fine, except the vhost behaviour with respect to the TLS is not as expected.

I am aware of this deprecation note and infact wanted to create a vhost with only 1.2 TLS support in a lower environment so that I can get my users to test and certify against this environment.

For Cloud and Private Cloud 4.17.01 and later, you use Properties to set SSL properties not SSLInfo.

The properties are "ssl_protocols" and "ssl_ciphers".

You can only set ssl_protocols in Private Cloud, Cloud restricts you to TLSv1.2.

See docs here: https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference

For example:

<VirtualHost name="secure">
    <HostAliases>
        <HostAlias>ORG-ENV.apigee.net</HostAlias>
    </HostAliases>
    <Interfaces/>
    <ListenOptions/>
    <Port>443</Port>
    <Properties/>
    <RetryOptions/>
    <SSLInfo>
        <ClientAuthEnabled>false</ClientAuthEnabled>
        <Enabled>true</Enabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <KeyAlias>freetrial</KeyAlias>
        <KeyStore>ref://freetrialref</KeyStore>
    </SSLInfo>
    <Properties>
        <!-- <Property name="ssl_protocols">TLSv1.2</Property> -->
        <Property name="ssl_ciphers">HIGH:!aNULL:!MD5:!DH+3DES:!kEDH</Property>
    </Properties>
</VirtualHost>

As JSON

{
    "hostAliases": [
        "ORG-ENV.apigee.net"
    ],
    "interfaces": [],
    "listenOptions": [],
    "name": "secure",
    "port": "443",
    "properties": {
        "property": [
            {
                "name": "ssl_ciphers",
                "value": "HIGH:!aNULL:!MD5:!DH+3DES:!kEDH"
            }
        ]
    },
    "retryOptions": [],
    "sSLInfo": {
        "ciphers": [],
        "clientAuthEnabled": "false",
        "enabled": "true",
        "ignoreValidationErrors": false,
        "keyAlias": "freetrial",
        "keyStore": "ref://freetrialref",
        "protocols": []
    }
}

Thanks Kurt, but if only TLS v1.2 is supported in the cloud, why does the below command pass? The below open ssl command tries to negotiate a tls1.0 connection. Should'nt it fail?

openssl s_client -connect myorg.apigee.net:443 -tls1

I should have qualified my answer better, in Cloud you cannot set protocols.

On June 18th only TLSv1.2 will be supported, then your call will fail.

https://docs.apigee.com/release/notes/tls-retirement

Thank you. I think the below URL points to what you describe. Where it is mentioned that Cloud will support 1.2 installation.

https://docs.apigee.com/api-platform/fundamentals/configuring-virtual-hosts-cloud

Update: if you want to test for TLSv1.2 you can update your Virtual Host "ssl_ciphers" property to use valid 1.2 values only (e.g. AES128-GCM-SHA256). Then connections using 1.0 or 1.1 will fail.

Through empirical analysis I've determined that there are a limited set of valid values.

This is for paid orgs deployed in Amazon regions.

AES128-GCM-SHA256
AES128-SHA256
AES256-GCM-SHA384
AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384

See this article for more details: https://community.apigee.com/articles/57728/empirical-analysis-of-valid-values-for-virtualhost.html