Solutions

Stay on top of everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up

Learn

Stay on top of everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up

Community

Stay on top of everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up

Company

Stay on top of everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up

 
Knowledgebase:
Hardening the MarkLogic App Server HTTPS connection
24 January 2017 06:49 PM

Introduction

Recent exploits in the TLS protocol such as POODLE, FREAK, LogJam and SLOTH have rendered TLSv1.0 and SSLv3 largely obsolete.  Additionally, standards councils such as PCI (Payment Card Industry) and NIST (National Institute of Standards & Technology) are moving to disallow the use of these protocols.

This article will describe the MarkLogic configuration changes needed to harden a MarkLogic HTTP Application Server so that only secure versions of TLS are used and where clients attempting to connect with TLSv1.0 or earlier protocols are rejected.

Configuration

The TLS protocol versions accepted and the Cipher suites selected are controlled by the specification list set in the "SSL Ciphers" field on the HTTP App Server Configuration panel:

The format of the specification list follows the OpenSSL format as described in the OpenSSL Cipher suite documentation and comprises one or more colon ":" separated ciphers strings which control which cipher suites are enabled or disabled. 

The default specification used by MarkLogic enables ALL ciphers except those that are considered of LOW encryption and places them in order of @STRENGTH 

ALL:!LOW:@STRENGTH

While sufficient for a lot of needs the default settings still allow for cipher negotiations that are no longer considered secure or weak signature algorithms such as MD2 and MD5. The following cipher specification string enhances security by only permitting AES and Triple DES (3DES) ciphers while at the same time disabling MD2 and MD5 signature algorithms.

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD2:!MD5

PCI DSS 3.2 & NIST SP 800-52 compliance

At this stage while the MarkLogic HTTP Application Server is now using stronger security it will still permit a client to connect using TLSv1.0. In order to comply with PCI DSS 3.2, compliant sites must stop using TLSv1.0 by 30th June 2018 while NIST SP 800-52 requires that sites only use TLSv1.1 with a recommendation to use TLSv1.2 where possible.

TLSv1.2 and browser support

For TLSv1.2, older browsers should be upgraded to current versions.

Making these changes may require users accessing your application to upgrade older browsers such as Firefox < 27.0 or Internet Explorer < 11.0 as these versions do not support TLSv1.2 by default.

The MarkLogic App Server utilizes OpenSSL which does not explicitly support enabling or disabling a specific TLS protocol version, however by disabling the all cipher cipher suites associated with a particular version you effectively get the same outcome.

SSLv3, TLSv1.0 & TLSv1.1 share the same common ciphers, so adding "!SSLv3" to the cipher specification will cause all client connection attempts using any of these protocols to fail.

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD2:!MD5:!SSLv3

Testing using the OpenSSL s_client utility shows that attempts to connect using TLSv1.0 fail with SSL alert 40 indicating no common cipher was available.

openssl s_client -connect 192.168.99.100:8010 -debug -tls1
CONNECTED(00000003)
..
140735283961936:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140735283961936:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

While connecting using TLSv1.2 is successful.

openssl s_client -connect 192.168.99.100:8010 -debug -tls1_2
CONNECTED(00000003)
...
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384

Further reading

On MarkLogic Security Certification
(2 vote(s))
Helpful
Not helpful

Comments (0)