Manage TLS/SSL connections

In Activator, for the secure server and client connections, by default:

  • TLSv.1.2 are enabled
  • SSL V3 is disabled

This applies to the following transports:

  • HTTPS user interface connection
  • HTTPS trading connections
  • FTPS

For the following transports, only TLSv1.0 is enabled:

  • PeSIT

Extend or restrict the protocols for Activator connections

To extend or restrict the set of available protocols for connections with remote servers and clients:

  1. Go to <Activator_install_directory>\Activator\conf\ and open the tuning.properties file in a text editor.
  2. Add the following properties:
    • sslProtocols – for Interchange server-type connections
    • sslProtocols.client – for Activator client-type connections
  3. ...where the property contains a list of protocol names separated by commas.
  4. These properties specify the enabled protocols for negotiated connections in the server and client cases.
  5. Accepted values for the sslProtocols and sslProtocols.client properties are:
    • SSLv2Hello
    • SSLv3
    • TLSv1
    • TLSv1.1
    • TLSv1.2
  6. Save the file.
  7. Restart Activator.

How tuning.properties works

The tuning.properties file provides configuration that is global for all transports and applies to both clients and servers. It is not possible to enable SSL V3 only for a specific transport type.

Even when all protocols are specified in tuning.properties, the list is additionally filtered to take into account the limitations of each transport. When an incorrect value is specified for the sslProtocols property, Activator reverts to using only TLS V1.

Activator reads the tuning.properties sslProtocols, tuning.properties sslProtocol.client, and tuning.properties sslProtocol.connetionProtocol values only once at Activator trading engine startup. If you modify the value, you must restart Activator for changes to take effect.

Examples for configuring the global server connection property:

sslProtocols=SSLv2Hello,SSLv3,TLSv1

 

sslProtocols=SSLv3,TLSv1

 

sslProtocols=TLSv1,TLSv1.1,TLSv.1.2

This last example is a configuration that is identical to the default behavior, when the property is not specified at all.

Example for enabling SSLV3 for both client and server type connections:

sslProtocols=SSLv3,TLSv1

sslProtocols.client=SSLv3,TLSv1

The Java implementation used by Activator sends SSL V3 and TLS ClientHellos encapsulated in a SSLV2 ClientHello, as long as SSLv2Hello is enabled. If the partner with whom you are trading does not support SSLv2Hello, the handshake fails. For this reason, you should only enable SSLv2Hello in the sslProtocols or sslProtocols.client property when your partners also support it.

More info about this can be found in the Java Secure Socket Extension (JSSE) Reference Guide:

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs

Related Links