MarkLogic 10 and Data Hub 5.0

Latest MarkLogic releases provide a smarter, simpler, and more secure way to integrate data.

Read Blog →


Stay On Top Of Everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up →

Hardening the MarkLogic App Server HTTPS connection
09 September 2020 02:59 PM


Recent exploits in the TLS protocol such as POODLE, FREAK, LogJam, and SLOTH have rendered TLSv1.0 and SSLv3 largely obsolete.  Additionally, standards councils such as PCI (Payment Card Industry) and NIST (National Institute of Standards & Technology) are moving to disallow the use of these protocols.

This article will describe the MarkLogic configuration changes needed to harden a MarkLogic HTTP Application Server so that only secure versions of TLS are used and where clients attempting to connect with TLSv1.0 or earlier protocols are rejected.

Note: Since this article was first written MarkLogic server has added an administrator function to disable individual SSL and TLS protocol versions. If you are still running MarkLogic version 8.0-5 or earlier you can continue to use the solution outlined below, otherwise, users of MarkLogic 9 or later should use the new AppServer Set SSL Disabled Protocols function to control which SSL and TLS protocol versions are available.


The TLS protocol versions accepted and the Cipher suites selected are controlled by the specification list set in the "SSL Ciphers" field on the HTTP App Server Configuration panel:

The format of the specification list follows the OpenSSL format as described in the OpenSSL Cipher suite documentation and comprises one or more colon ":" separated ciphers strings which control which cipher suites are enabled or disabled. 

The default specification used by MarkLogic enables ALL ciphers except those that are considered of LOW encryption and places them in order of @STRENGTH 


While sufficient for a lot of needs the default settings still allow for cipher negotiations that are no longer considered secure or weak signature algorithms such as MD2 and MD5. The following cipher specification string enhances security by only permitting AES and Triple DES (3DES) ciphers while at the same time disabling MD2 and MD5 signature algorithms.


PCI DSS 3.2 & NIST SP 800-52 compliance

At this stage, while the MarkLogic HTTP Application Server is now using stronger security it will still permit a client to connect using TLSv1.0. In order to comply with PCI DSS 3.2, compliant sites must stop using TLSv1.0 by 30th June 2018 while NIST SP 800-52 requires that sites only use TLSv1.1 with a recommendation to use TLSv1.2 where possible.

TLSv1.2 and browser support

For TLSv1.2, older browsers should be upgraded to current versions.

Making these changes may require users accessing your application to upgrade older browsers such as Firefox < 27.0 or Internet Explorer < 11.0 as these versions do not support TLSv1.2 by default.

The MarkLogic App Server utilizes OpenSSL which does not explicitly support enabling or disabling a specific TLS protocol version, however by disabling the all cipher suites associated with a particular version you effectively get the same outcome.

SSLv3, TLSv1.0 & TLSv1.1 share the same common ciphers, so adding "!SSLv3" to the cipher specification will cause all client connection attempts using any of these protocols to fail.


Testing using the OpenSSL s_client utility shows that attempts to connect using TLSv1.0 fail with SSL alert 40 indicating no common cipher was available.

openssl s_client -connect -debug -tls1
140735283961936:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140735283961936:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

While connecting using TLSv1.2 is successful.

openssl s_client -connect -debug -tls1_2
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384

Further reading

On MarkLogic Security Certification
(5 vote(s))
Not helpful

Comments (0)