Skip to main content

Configure a FairCom server to use specific TLS ciphers

FairCom's default setting for TLS ciphers is secure. To enforce stricter customized security, any cipher available in OpenSSL can be configured for use.

FairCom default ciphers

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-CHACHA20-POLY1305

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384

The FairCom server supports TLS connections for client connections over HTTPS, WSS, MQTTS, SQL, and ISAM:

  • FairCom's JSON APIs and web applications accept HTTPS and WSS connections as configured in services.json.

  • MQTT connections use MQTTS over TCP as configured in services.json.

  • FairCom's SQL and ISAM connections use TCP or shared memory. The TCP connections support TLS as configured in ctsrvr.cfg.

Tip

Use the services.json and ctsrvr.cfg configuration files located in the <faircom>/config folder to configure which TLS ciphers to connect to a FairCom server.

Configure TLS for FairCom JSON APIs and web applications

  1. Edit <faircom>/config/services.json

  2. Under each secure protocol listener (https, mqtts, mqttwss), update the "tls" object by adding the "tls_cipher_suites" property with a colon-delimited list of ciphers.

    "tls": 
{
	"certificateFilename": "./web/fccert.pem",
	"tls_cipher_suites": "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384: ECDHE-ECDSA-AES128-GCM-SHA256"
}

  3. Restart the server for the configuration changes to take effect.

Configure TLS for FairCom SQL and ISAM database connections over TCP/IP

  1. Edit <faircom>/config/ctsrvr.cfg

  2. Add or uncomment the property group SUBSYSTEM COMM_PROTOCOL SSL to configure TLS. Specify the whitelist of ciphers in the SSL_CIPHERS property using a colon-delimited list of ciphers.

    SUBSYSTEM COMM_PROTOCOL SSL {
SERVER_CERTIFICATE_FILE ctree_ssl.pem
SSL_CONNECTIONS_ONLY NO
SSL_CIPHERS TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256
}

  3. Restart the server for the configuration changes to take effect.

Tip

To deactivate a configuration setting in ctsrvr.cfg , remove it from the file, or place a semicolon before the setting, such as ;SUBSYSTEM COMM_PROTOCOL SSL. To activate a configuration setting, remove the semicolon.