Skip to content

Commit

Permalink
Update protocol documentation (#1153)
Browse files Browse the repository at this point in the history 
See
[here](hazelcast/hazelcast-mono@77b1e0e#diff-37d9504ce60ecdf27711f36de75d440107d6ef841648903f4baf2df8344bac3aL56)
where default TLSv1.2 is changed.

And the current master has TLS
[here](https://github.com/hazelcast/hazelcast-mono/blob/9102331bb4025eb793f405aeaff05ae96c15edfd/hazelcast-enterprise/src/main/java/com/hazelcast/internal/nio/ssl/SSLEngineFactorySupport.java#L76)

Also SSL and TLSv1 and TLSv1.1 is old according to @kwart so I removed
them
  • Loading branch information
@srknzl
srknzl committed Jul 8, 2024
1 parent 69b8c68 commit 4018a5a
Showing 1 changed file with 8 additions and 13 deletions.
21 changes: 8 additions & 13 deletions docs/modules/security/pages/integrating-openssl.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,20 +197,15 @@ Available values are:
** `OPTIONAL` - server asks for a client certificate, but it doesn't
require it
* `ciphersuites`: Comma-separated list of cipher suite names allowed to be used.
* `protocol`: Name of the algorithm which is used in your TLS/SSL. Its default
value is `TLSv1.2`. Available values are:
** `TLS`
** `TLSv1`
** `TLSv1.1`
* `protocol`: Name of the algorithm which is used in your TLS. Its default
value is empty, meaning the protocol version to use is not specified. Available
values depend on the engine implementation but usually support:
** `TLS` (equivalent to the empty value)
** `TLSv1.2`
** `SSL` _(insecure!)_
** `SSLv2` _(insecure!)_
** `SSLv3` _(insecure!)_
** `TLSv1.3`
+
For the
`protocol` property, we recommend you to provide SSL or TLS with its version
information, e.g., `TLSv1.2`. Note that if you
provide only `SSL` or `TLS` as a value for the `protocol` property, they are
converted to `SSLv3` and `TLSv1.2`, respectively. We strongly recommend to avoid
SSL protocols.
`protocol` property, we recommend you to provide TLS with its version
information, e.g., `TLSv1.3`. It ensures the engine won't allow a fallback to an old, insecure version.

* `validateIdentity`: Flag which allows enabling endpoint identity validation. It means, during the TLS handshake client verifies if the server's hostname (or IP address) matches the information in X.509 certificate (Subject Alternative Name extension). Possible values are `"true"` and `"false"` (default).

0 comments on commit 4018a5a

Please sign in to comment.