Configure TLS ciphers
Configure a FairCom server to use specific Transport Layer Security ciphers
FairCom's default setting for TLS ciphers is secure. To enforce stricter customized security, any cipher available in OpenSSL can be configured for use.
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
FairCom's JSON APIs and web applications accept HTTPS and WSS connections as configured in
services.json
.MQTT connections use MQTTS over TCP as configured in
services.json
.FairCom's SQL and ISAM connections use TCP or shared memory. The TCP connections support TLS as configured in
ctsrvr.cfg
.
Tip
Use the services.json
and ctsrvr.cfg
configuration files located in the <faircom>/config
folder to configure which TLS ciphers to connect to a FairCom server.
Configure TLS for FairCom JSON APIs and web applications
Edit
<faircom>/config/services.json
Under each secure protocol listener (https, mqtts, mqttwss), update the
"tls"
object by adding the"tls_cipher_suites"
property with a colon-delimited list of ciphers."tls": { "certificateFilename": "./web/fccert.pem", "tls_cipher_suites": "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384: ECDHE-ECDSA-AES128-GCM-SHA256" }
Restart the server for the configuration changes to take effect.
Configure TLS for FairCom SQL and ISAM database connections over TCP/IP
Edit
<faircom>/config/ctsrvr.cfg
Add or uncomment the property group
SUBSYSTEM COMM_PROTOCOL SSL
to configure TLS. Specify the whitelist of ciphers in theSSL_CIPHERS
property using a colon-delimited list of ciphers.SUBSYSTEM COMM_PROTOCOL SSL { SERVER_CERTIFICATE_FILE ctree_ssl.pem SSL_CONNECTIONS_ONLY NO SSL_CIPHERS TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256 }
Restart the server for the configuration changes to take effect.
Tip
To deactivate a configuration setting in ctsrvr.cfg
, remove it from the file, or place a semicolon before the setting, such as ;SUBSYSTEM COMM_PROTOCOL SSL
. To activate a configuration setting, remove the semicolon.