Interchange 5.12 Administrator Guide Save PDF Selected topic Selected topic and subtopics All content Manage TLS/SSL connections In Interchange, for all secure server and client connections, by default: TLSv1, TLSv1.1, TLSv.1.2 are enabled SSL V3 is disabled This applies to all of the following transports: HTTPS user interface connection HTTPS trading connections FTPS PeSIT OFTP All possible DMZ configurations Extend or restrict the protocols for Interchange connections To extend or restrict the set of available protocols for connections with remote servers and clients: Go to <Interchange_install_directory>/conf and open the tuning.properties file in a text editor. Add the following properties: sslProtocols – for Interchange server-type connections sslProtocols.client – for Interchange client-type connections ...where the property contains a list of protocol names separated by commas. These properties specify the enabled protocols for negotiated connections in the server and client cases. Accepted values for the sslProtocols and sslProtocols.client properties are: SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Save the file. Restart Interchange. How tuning.properties works The tuning.properties file provides configuration that is global for all transports and applies to both clients and servers. It is not possible to enable SSL V3 only for a specific transport type. Even when all protocols are specified in tuning.properties, the list is additionally filtered to take into account the limitations of each transport. For example, OFTP TLS only supports TLS V1, while PeSIT only supports SSL V3 and TLS V1. When an incorrect value is specified for the sslProtocols property, Interchange reverts to using only TLS V1. Interchange reads the tuning.properties sslProtocols, tuning.properties sslProtocol.client, and tuning.properties sslProtocol.connetionProtocol values only once at Interchange trading engine startup. If you modify the value, you must restart Interchange for changes to take effect. Examples for configuring the global server connection property: sslProtocols=SSLv2Hello,SSLv3,TLSv1 sslProtocols=SSLv3,TLSv1 sslProtocols=TLSv1,TLSv1.1,TLSv.1.2 This last example is a configuration that is identical to the default behavior, when the property is not specified at all. Example for enabling SSLV3 for both client and server type connections: sslProtocols=SSLv3,TLSv1 sslProtocols.client=SSLv3,TLSv1 The Java implementation used by Interchange sends SSL V3 and TLS ClientHellos encapsulated in a SSLV2 ClientHello, as long as SSLv2Hello is enabled. If the partner with whom you are trading does not support SSLv2Hello, the handshake fails. For this reason, you should only enable SSLv2Hello in the sslProtocols or sslProtocols.client property when your partners also support it. More info about this can be found in the Java Secure Socket Extension (JSSE) Reference Guide: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs Refer to the section: Troubleshooting > Configuration Problems > Socket Disconnected after Sending ClientHello Message Related Links
Manage TLS/SSL connections In Interchange, for all secure server and client connections, by default: TLSv1, TLSv1.1, TLSv.1.2 are enabled SSL V3 is disabled This applies to all of the following transports: HTTPS user interface connection HTTPS trading connections FTPS PeSIT OFTP All possible DMZ configurations Extend or restrict the protocols for Interchange connections To extend or restrict the set of available protocols for connections with remote servers and clients: Go to <Interchange_install_directory>/conf and open the tuning.properties file in a text editor. Add the following properties: sslProtocols – for Interchange server-type connections sslProtocols.client – for Interchange client-type connections ...where the property contains a list of protocol names separated by commas. These properties specify the enabled protocols for negotiated connections in the server and client cases. Accepted values for the sslProtocols and sslProtocols.client properties are: SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Save the file. Restart Interchange. How tuning.properties works The tuning.properties file provides configuration that is global for all transports and applies to both clients and servers. It is not possible to enable SSL V3 only for a specific transport type. Even when all protocols are specified in tuning.properties, the list is additionally filtered to take into account the limitations of each transport. For example, OFTP TLS only supports TLS V1, while PeSIT only supports SSL V3 and TLS V1. When an incorrect value is specified for the sslProtocols property, Interchange reverts to using only TLS V1. Interchange reads the tuning.properties sslProtocols, tuning.properties sslProtocol.client, and tuning.properties sslProtocol.connetionProtocol values only once at Interchange trading engine startup. If you modify the value, you must restart Interchange for changes to take effect. Examples for configuring the global server connection property: sslProtocols=SSLv2Hello,SSLv3,TLSv1 sslProtocols=SSLv3,TLSv1 sslProtocols=TLSv1,TLSv1.1,TLSv.1.2 This last example is a configuration that is identical to the default behavior, when the property is not specified at all. Example for enabling SSLV3 for both client and server type connections: sslProtocols=SSLv3,TLSv1 sslProtocols.client=SSLv3,TLSv1 The Java implementation used by Interchange sends SSL V3 and TLS ClientHellos encapsulated in a SSLV2 ClientHello, as long as SSLv2Hello is enabled. If the partner with whom you are trading does not support SSLv2Hello, the handshake fails. For this reason, you should only enable SSLv2Hello in the sslProtocols or sslProtocols.client property when your partners also support it. More info about this can be found in the Java Secure Socket Extension (JSSE) Reference Guide: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs Refer to the section: Troubleshooting > Configuration Problems > Socket Disconnected after Sending ClientHello Message