How to modify cipher suites
Introduction
You might want to modify the ciphers used in the SSL exchange in Live Assist's products. To do so you'll need to edit the fas.properties file, make the necessary changes and then restart FAS.
Example 1 - removing ciphers
Here's an example of removing a weak, ephemeral Diffie-Hellman public key
1. Make a back up of your fas.properties file
cd /opt/cafex/FAS-2.1*/domain/configuration
cp fas.properties fas.bak-<date>2. Edit fas.properties and remove the weak encryption ciphers
vi fas.properties and make the following changes to the jsse cipher suites:
Before:
jsse.cipher.suites= SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHAAfter:
jsse.cipher.suites= SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA3. Restart FAS from the command line
# service fas restartExample 2 - adding ciphers
Here's an example of adding GCM ciphers ( GCM ciphers are supported only on JDK-8 at the time of writing.)
1. Make a back up of your fas.properties file
cd /opt/cafex/FAS-2.1*/domain/configuration
cp fas.properties fas.bak-<date>2. Edit fas.properties and add the new encryption ciphers by append ingto the end the ciphers so that it reads
openssl.cipher.suites= SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA2563. Restart FAS from the command line
# service fas restart
If you have any queries contact Customer Support