Manage TLS/SSL connections

In Interchange, for all secure server and client connections, by default:

  • TLSv1, TLSv1.1, TLSv.1.2 are enabled
  • SSL V3 is disabled

This applies to all of the following transports:

  • HTTPS user interface connection
  • HTTPS trading connections
  • FTPS
  • PeSIT
  • OFTP
  • All possible DMZ configurations

Extend or restrict the protocols for Interchange connections

To extend or restrict the set of available protocols for connections with remote servers and clients:

  1. Go to <Interchange_install_directory>/conf and open the tuning.properties file in a text editor.
  2. Add the following properties:
    • sslProtocols – for Interchange server-type connections
    • sslProtocols.client – for Interchange client-type connections
  3. ...where the property contains a list of protocol names separated by commas.
  4. These properties specify the enabled protocols for negotiated connections in the server and client cases.
  5. Accepted values for the sslProtocols and sslProtocols.client properties are:
    • SSLv2Hello
    • SSLv3
    • TLSv1
    • TLSv1.1
    • TLSv1.2
  6. Save the file.
  7. Restart Interchange.

How tuning.properties works

The tuning.properties file provides configuration that is global for all transports and applies to both clients and servers. It is not possible to enable SSL V3 only for a specific transport type.

Even when all protocols are specified in tuning.properties, the list is additionally filtered to take into account the limitations of each transport. For example, OFTP TLS only supports TLS V1, while PeSIT only supports SSL V3 and TLS V1. When an incorrect value is specified for the sslProtocols property, Interchange reverts to using only TLS V1.

Interchange reads the tuning.properties sslProtocols, tuning.properties sslProtocol.client, and tuning.properties sslProtocol.connetionProtocol values only once at Interchange trading engine startup. If you modify the value, you must restart Interchange for changes to take effect.

Examples for configuring the global server connection property:

sslProtocols=SSLv2Hello,SSLv3,TLSv1

 

sslProtocols=SSLv3,TLSv1

 

sslProtocols=TLSv1,TLSv1.1,TLSv.1.2

This last example is a configuration that is identical to the default behavior, when the property is not specified at all.

Example for enabling SSLV3 for both client and server type connections:

sslProtocols=SSLv3,TLSv1

sslProtocols.client=SSLv3,TLSv1

The Java implementation used by Interchange sends SSL V3 and TLS ClientHellos encapsulated in a SSLV2 ClientHello, as long as SSLv2Hello is enabled. If the partner with whom you are trading does not support SSLv2Hello, the handshake fails. For this reason, you should only enable SSLv2Hello in the sslProtocols or sslProtocols.client property when your partners also support it.

More info about this can be found in the Java Secure Socket Extension (JSSE) Reference Guide:

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs

Refer to the section: Troubleshooting > Configuration Problems > Socket Disconnected after Sending ClientHello Message

Related Links