Specifying Cipher Suites


On the EMS server, specify cipher suites using the ssl_server_ciphers configuration parameter in tibemsd.conf. For more information about server configuration files, see Chapter 7, Using the Configuration Files.

For clients connecting with a connection factory, specify cipher suites using the ssl_ciphers connection factory parameter. For more information, see Configuring SSL in EMS Clients.

Syntax for Cipher Suites

EMS uses OpenSSL for SSL support. Therefore, the cipher suite names can be specified as the OpenSSL name for the cipher suite.

When specifying cipher suites, the usual way to specify more than one cipher suite is to separate each suite name with a colon (:) character. Alternatively, you can use spaces and commas to separate names.

Java Client Syntax

The syntax for specifying the list of cipher suites is different for Java clients than for any other location where cipher suites can be specified. For Java clients, you specify a qualifier (for example, + to add the suite) followed by the cipher suite name. Cipher suite names are case-sensitive. Table 42 describes the qualifiers you can use when specifying cipher suite names in a ConnectionFactory for Java clients.

Table 42 Qualifiers for Cipher Suites in Java Clients 
Qualifier
Description
+
Add the cipher to the list of ciphers.
-
Remove the cipher from the list of ciphers.
>
Move the cipher to the end of the list.
<
Move the cipher to the beginning of the list.
ALL
All ciphers from the list (except null ciphers). You can use this keyword to add or remove all ciphers.
At least one cipher suite must be present, otherwise the SSL connection fails to initialize. So, if you use -ALL, you must subsequently add the desired ciphers to the list.

This example specifies cipher suites in the ssl_ciphers connection factory parameter in a Java client:

-ALL:+RC4-MD5:+DES-CBC-SHA:<DES-CBC3-SHA 

Syntax for All Other Cipher Suite Specifications

For any cipher suite list that is not specified in a connection factory of a Java client, use the OpenSSL syntax. In particular, C clients and the ssl_server_ciphers configuration parameter require OpenSSL syntax.

In OpenSSL syntax, specifying a cipher suite name adds that cipher suite to the list. Each cipher suite name can be preceded by a qualifier. Cipher suite names are case-sensitive. Table 43 describes the qualifiers available using OpenSSL syntax.

Table 43 OpenSSL Qualifiers for Cipher Suites 
Qualifier
Description
/
Start with an empty list, and add the ciphers that follow it.
+
Moves the cipher to the end of the list.
-
Remove the cipher from the list of ciphers. When this option is used, the cipher can be added later on in the list of ciphers.
!
Permanently disable the cipher within the list of ciphers. Use this option if you wish to remove a cipher and you do not want later items in the list to add the cipher to the list. This qualifier takes precedence over all other qualifiers.
ALL
All ciphers from the list (except null ciphers). You can use this keyword to add or remove all ciphers.
At least one cipher suite must be present or the SSL connection fails to initialize. So, after using -ALL, you should add at least one cipher to the list.
@STRENGTH
Sort the cipher list by key length.

This example specifies cipher suites in the ssl_server_ciphers configuration parameter.

ssl_server_ciphers = -ALL:RC4-MD5:DES-CBC-SHA:DES-CBC3-SHA 
 

This example illustrates disables RC4-MD5, then adds all other ciphers:

ssl_server_ciphers = !RC4-MD5:ALL 

Default Cipher List

The EMS server and C client library hard-code a default cipher list, which is equivalent to ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH.

Supported Cipher Suites

In general, the EMS server and C client library support all cipher suites that OpenSSL supports, except IDEA, RC-5 and CAST. For a complete list, see current OpenSSL documentation.

Java clients support only the cipher suites listed in Table 44. For convenience, the table lists both the standard name and the OpenSSL name for each cipher suite.

Table 44 Supported Cipher Suites in Java API (Sheet 1 of 3)
Suite Name
(OpenSSL Name)
Export
Key Exch
Auth
Encrypt
Key Size
MAC
SSL_RSA_WITH_RC4_128_MD5
(RC4-MD5)
 
 
RSA
RSA
RC4
128
MD5
SSL_RSA_WITH_RC4_128_SHA
(RC4-SHA)
 
 
RSA
RSA
RC4
128
SHA1
SSL_RSA_WITH_DES_CBC_SHA
(DES-CBC-SHA)
 
 
RSA
RSA
DES
56
SHA1
SSL_RSA_WITH_3DES_EDE_CBC_SHA
(DES-CBC3-SHA)
 
 
RSA
RSA
3-DES
168
SHA1
SSL_RSA_EXPORT_WITH_RC4_40_MD5
(EXP-RC4-MD5)
 
Yes
RSA(512)
RSA
RC4
40
MD5
SSL_RSA_EXPORT_WITH_DES_40_CBC_SHA
(EXP-DES-CBC-SHA)
 
Yes
RSA(512)
RSA
DES
40
SHA1
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
(EDH-DSS-DES-CBC3-SHA)
 
 
DH
DSS
3-DES
168
SHA1
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
(EDH-RSA-DES-CBC3-SHA)
 
 
DH
RSA
3-DES
168
SHA1
SSL_DHE_DSS_WITH_DES_CBC_SHA
(EDH-DSS-DES-CBC-SHA)
 
 
DH
DSS
DES
56
SHA1
SSL_DHE_RSA_WITH_DES_CBC_SHA
(EDH-RSA-DES-CBC-SHA)
 
 
DH
RSA
DES
56
SHA1
SSL_DHE_DSS_EXPORT_WITH_DES_40_CBC_SHA
(EXP-EDH-DSS-DES-CBC-SHA)
 
Yes
DH(512)
DSS
DES
40
SHA1
SSL_DHE_RSA_EXPORT_WITH_DES_40_CBC_SHA
(EXP-EDH-RSA-DES-CBC-SHA)
 
Yes
DH(512)
RSA
DES
40
SHA1
TLS_RSA_WITH_AES_128_CBC_SHA
(AES128-SHA)
 
 
RSA
RSA
AES
128
SHA1
TLS_RSA_WITH_AES_256_CBC_SHA
(AES256-SHA)
 
 
RSA
RSA
AES
256
SHA1
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
(DHE-DSS-AES128-SHA)
 
 
DH
DSS
AES
128
SHA1
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
(DHE-DSS-AES256-SHA)
 
 
DH
DSS
AES
256
SHA1
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(DHE-RSA-AES128-SHA)
 
 
DH
RSA
AES
128
SHA1
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
(DHE-RSA-AES256-SHA)
 
 
DH
RSA
AES
256
SHA1
SSL_RSA_WITH_NULL_MD5
(NULL-MD5)
JSSE only. Entrust does not support this suite.
 
 
DH
RSA
none
MD5
SSL_RSA_WITH_NULL_SHA
(NULL-SHA)
JSSE only. Entrust does not support this suite.
 
 
DH
RSA
none
SHA1


TIBCO Enterprise Message Service™ User’s Guide
Software Release 4.3, February 2006
Copyright © TIBCO Software Inc. All rights reserved
www.tibco.com