14.8.2. Editing OpenSSL ciphers and options


14.8.2. Editing OpenSSL ciphers and options
Prev	14.8. SSL Encryption	Next

It is possible to edit the OpenSSL ciphers and options that the DataHub program uses, for those features that are coded in C++. Currently this includes tunnelling connections via the Tunnel/Mirror feature, HTTP connections via the Web Server, and MQTT client and server.

There are three registry entries available, all of type REG_SZ (string):

HKEY_LOCAL_MACHINE\Software\Cogent\Cogent DataHub\OpenSslCiphers
HKEY_LOCAL_MACHINE\Software\Cogent\Cogent DataHub\OpenSslOptions
HKEY_LOCAL_MACHINE\Software\Cogent\Cogent DataHub\SslMethod

OpenSslCiphers is an OpenSSL cipher string that determines which ciphers are available to a connection. It applies to both client and server connections. It defaults to:

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA- 
AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POL 
Y1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AE 
S256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:EC 
DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDH 
E-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:E 
CDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128 
-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:A
ES256-SHA

OpenSslOptions lets you define additional options for client and server SSL connections. The options string consists of a collection of OpenSSL configuration file options separated by bar ( | ) characters. The set of options depends on the version of OpenSSL. All the Options listed in the SUPPORTED CONFIGURATION FILE COMMANDS section of the OpenSSL SSL_CONF_cmd documentation are currently available.

For example, to limit the connection to only use TLS 1.2, and to force the connection to use the server's cipher preference, the options could be:

Protocol=TLSv1.2,-TLSv1.1,-TLSv1,-SSLv2,-SSLv3|Options=ServerPreference

SslMethod lets you define a specific SSL method more conveniently than using OpenSslOptions. The MQTT broker and client ignore OpenSslOptions and use only SslMethod if it is defined. SslMethod is a REG_SZ (string) that can have one of the following values:

tls indicates TLS 1.0
tlsv1.1 indicates TLS 1.1
tlsv1.2 indicates TLS 1.2
tlsv1.3 indicates TLS 1.3

If SslMethod is defined but is not one of the above, then the connection will fail.