Documentation, Remove weaker ciphers from the HIGH cipher list in Liberty

[jacobwdv]

This issue is being created early to provide an early heads up that documentation changes will be needed for this feature.

Feature epic details

• Link to development epic: Remove weaker ciphers from the HIGH cipher list in Liberty open-liberty#24601
• Target GA release: NA

Operating systems

Does the documentation apply to all operating systems?

• Yes
• No; specify operating systems: ______

Summary

We will remove 'securityLevel' attribute from our ssl configuration.

in place of securityLevel we do two things

1. Use the JDK effective tls cipher suites
2. The enabledCiphers attribute will include a new syntax to add + or remove – specific ciphers from the JDK default list without redefining everything. This syntax update is mutually exclusive to the previous usage. Meaning users can either provide a static list of cipher suites OR provide a list of cipher suites with + / - prepended to them. They cannot have both.

Configuration

updated property enabledCiphers
remove property securityLevel

Previous configuration (no longer applicable):

<ssl id="defaultSSL" securityLevel="CUSTOM"  enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>

Updated configuration:

Old syntax is stan example of new syntax with wildcard

<ssl id="enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>

OR

<ssl id="enabledCiphers="-TLS_ECDHE_* +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>

Updates to existing topics

• https://openliberty.io/docs/modules/reference/23.0.0.6/com.ibm.websphere.appserver.api.ssl_1.5-javadoc/com/ibm/websphere/ssl/Constants.html
  • Not sure if this is the most recent link
  • Will need to add public static String[] adjustSupportedCiphers(String[] supportedCiphers, String enabledCiphers)
  • Adjust supported ciphers according to an enabled cipher string, which can be in one of two formats:
    • Custom mode: a list of ciphers with no +/- prefix replaces defaults
    • Filter mode: + to add a cipher, - cipher * to remove ciphers based on the cipher name or wildcard pattern
      • Eg. -TLS_RSA* +TLS_RSA_WITH_AES_128_CBC_SHA would remove all RSA ciphers and add back TLS_RSA_WITH_AES_128_CBC_SHA
• https://openliberty.io/docs/modules/reference/23.0.0.6/com.ibm.websphere.appserver.api.ssl_1.5-javadoc/com/ibm/websphere/ssl/Constants.html#adjustSupportedCiphersToSecurityLevel(java.lang.String%5B%5D,java.lang.String)
  • The securityLevel attribute is set but will be ignored.
  • The specified value for securityLevel will be ignored because this attribute is no longer used. The effective JDK cipher suites will be used and can be overridden by the enabledCiphers attribute.
• https://openliberty.io/docs/modules/reference/23.0.0.6/com.ibm.websphere.appserver.api.ssl_1.5-javadoc/com/ibm/websphere/ssl/package-summary.html
  • Update the version number of the package
• https://openliberty.io/docs/modules/reference/23.0.0.6/com.ibm.websphere.appserver.api.ssl_1.5-javadoc/com/ibm/websphere/ssl/JSSEProvider.html
  • The securityLevel attribute is set but will be ignored. The JDK effective list will be used instead for getCiphersForSecurityLevel
• https://www.ibm.com/docs/en/was-liberty/nd?topic=configuration-ssl
  • Not sure if this needs an update but if so, the section, securityLevel needs an update stating that it will be ignored.
• https://openliberty.io/docs/latest/reference/config/ssl.html
  Remove:

update:
enabledCiphers with description

Specifies a custom list of ciphers. Separate each cipher in the list with a space. The supported cipher will depend on the underlying JRE used. Please check the JRE for valid ciphers.

OR 

Specifies filter criteria to add (+) or remove (-) cipher suites from the JDK effective TLS cipher suites. 

To add a cipher, prefix its full suite name with +.
To remove a cipher, prefix its full suite name with -.

You may also use the * wildcard to remove multiple cipher suites with '-'. When used, * must appear only at the end of the list item, and all cipher suites matching the prefix before the * will be removed. The wildcard cannot be used when adding cipher suites.

Users may not specify the static custom list and filter criteria.

[jacobwdv]

@ramkumar-k-9286 -- we have approval now for this feature and are aiming for 26.0.0.5

We will need doc updates to reflect the removal of securityLevel and the updates to enabledCiphers.