Skip to content
IdentityScribe

Ssl

Shared SSL configuration

ssl.ca

Section titled “ssl.ca”

The PEM file from which to read the trusted certificate information. It may contain zero or more certificates. Each certificate should consist of the following:

  • A line containing only the string “-----BEGIN CERTIFICATE-----”.
  • One or more lines representing the base64-encoded representation of the

bytes that comprise the X.509 certificate.

  • A line containing only the string “-----END CERTIFICATE-----”.

Any spaces that appear at the beginning or end of each line will be ignored. Empty lines and lines that start with the octothorpe (#) character will also be ignored. Defaults ‘ca-bundle.pem’ in the working directory or to the system’s default trusted certificate store.

Priority: SCRIBE_SSL_CA > config

PropertyValue
Default"relative/from/config/file/ca.pem"
OverrideSCRIBE_SSL_CA (optional)
ssl.ca = ${?SCRIBE_SSL_CA}

ssl.cert

Section titled “ssl.cert”

The file containing the PEM-formatted X.509 representations of the certificates in the certificate chain. It must contain at least one certificate (the end entity certificate), but may contain additional certificates as needed for the complete certificate chain. Certificates should be ordered such that the first certificate must be the end entity certificate, and each subsequent certificate must be the issuer for the previous certificate. The chain does not need to be complete as long as the peer may be expected to have prior knowledge of any missing issuer certificates.

Priority: SCRIBE_SSL_CERT > config

PropertyValue
Default"relative/from/config/file/cert.pem"
OverrideSCRIBE_SSL_CERT (optional)
ssl.cert = ${?SCRIBE_SSL_CERT}

ssl.cipher-suites

Section titled “ssl.cipher-suites”

Lists the SSL/TLS cipher suites that are enabled. The values can be any valid SSL/TLS cipher suite such as TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, etc. The default cipher suites are based on those recommended by the SSL Labs.

Source: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites

PropertyValue
Default[TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, ...]
ssl.cipher-suites = [    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384


    ## Not recommended but still required by eDirectory ldaps
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_256_GCM_SHA384


    ## These are not recommended anymore
    # TLS_AES_128_GCM_SHA256
    # TLS_AES_256_GCM_SHA384
    # TLS_CHACHA20_POLY1305_SHA256
    # TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    # TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    # TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    # TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    # TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    # TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    # TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    # TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    # TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    # TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    # TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    # TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    # TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    # TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    # TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    # TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    # TLS_RSA_WITH_AES_128_CBC_SHA
    # TLS_RSA_WITH_AES_128_CBC_SHA256
    # TLS_RSA_WITH_AES_256_CBC_SHA
    # TLS_RSA_WITH_AES_256_CBC_SHA256
    # TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  ]

ssl.key

Section titled “ssl.key”

The file containing the PEM-formatted PKCS #8 representation of the private key for the end entity certificate. It must contain exactly one PEM-encoded private key. The private key may optionally be encrypted.

Priority: SCRIBE_SSL_KEY > config

PropertyValue
Default"relative/from/config/file/cert.pem"
OverrideSCRIBE_SSL_KEY (optional)
ssl.key = ${?SCRIBE_SSL_KEY}

ssl.password

Section titled “ssl.password”

The password needed to decrypt the private key if it is encrypted.

Priority: SCRIBE_SSL_PASSWORD > config

PropertyValue
Default"..."
OverrideSCRIBE_SSL_PASSWORD (optional)
ssl.password = ${?SCRIBE_SSL_PASSWORD}

ssl.protocols

Section titled “ssl.protocols”

Lists the SSL/TLS protocols that are enabled. The values can be any valid SSL/TLS protocol version such as TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, etc. The default protocols are those recommended by the SSL Labs.

Source: https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#22-use-secure-protocols

PropertyValue
Default[TLSv1.3, TLSv1.2, ...]
ssl.protocols = [    TLSv1.3
    TLSv1.2


    ## These are not recommended anymore
    # TLSv1.1
    # TLSv1
    # SSLv3
    # SSLv2
  ]