diff --git a/modules/ROOT/pages/security/ssl-fips-compatibility.adoc b/modules/ROOT/pages/security/ssl-fips-compatibility.adoc index e095454cf..930ea6260 100644 --- a/modules/ROOT/pages/security/ssl-fips-compatibility.adoc +++ b/modules/ROOT/pages/security/ssl-fips-compatibility.adoc @@ -189,6 +189,25 @@ SSL configuration is described in detail in xref:security/ssl-framework.adoc#ssl This section describes configuration that must be done *in addition to* standard non-FIPS compliant SSL configuration. +[NOTE] +==== +* The following group of FIPS-compatible cipher suites are for use with TLSv1.2: ++ +** `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` +** `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` +** `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` +** `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256` ++ +They require additional configuration in the application or OpenSSL settings. + +* The following cipher suites are supported by default in OpenSSL when using TLSv1.3: ++ +** `TLS_AES_256_GCM_SHA384` +** `TLS_AES_128_GCM_SHA256` ++ +These suites do not require any additional configuration when OpenSSL is built with FIPS support. +==== + [[bolt-ssl-fips]] === Bolt @@ -202,7 +221,7 @@ This section describes configuration that must be done *in addition to* standard dbms.ssl.policy.bolt.trust_all=false dbms.ssl.policy.bolt.tls_level=REQUIRED dbms.ssl.policy.bolt.tls_versions=TLSv1.2,TLSv1.3 -dbms.ssl.policy.bolt.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256 +dbms.ssl.policy.bolt.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256 ---- . Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.bolt.private_key_password` to dynamically read the password from an encrypted password file. The password must *not* be set in plain text. @@ -222,7 +241,7 @@ This section is only applicable if HTTPS is enabled. dbms.ssl.policy.https.trust_all=false dbms.ssl.policy.https.tls_level=REQUIRED dbms.ssl.policy.https.tls_versions=TLSv1.2,TLSv1.3 -dbms.ssl.policy.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256 +dbms.ssl.policy.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256 ---- . Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.https.private_key_password` to dynamically read the password from an encrypted password file. The password must NOT be set in plain text. @@ -240,7 +259,7 @@ dbms.ssl.policy.cluster.enabled=true dbms.ssl.policy.cluster.tls_level=REQUIRED dbms.ssl.policy.cluster.client_auth=REQUIRED dbms.ssl.policy.cluster.tls_versions=TLSv1.2,TLSv1.3 -dbms.ssl.policy.cluster.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256 +dbms.ssl.policy.cluster.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256 ---- . Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.cluster.private_key_password` to dynamically read the password from an encrypted password file. The password must *not* be set in plain text. @@ -260,7 +279,7 @@ dbms.ssl.policy.backup.enabled=true dbms.ssl.policy.backup.client_auth=REQUIRED dbms.ssl.policy.backup.trust_all=false dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3 -dbms.ssl.policy.backup.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256 +dbms.ssl.policy.backup.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256 ---- . Follow the instructions in xref:security/ssl-framework.adoc#ssl-config-private-key[SSL Framework -> Using encrypted private key] to configure `dbms.ssl.policy.backup.private_key_password` to dynamically read the password from an encrypted password file. The password must *not* be set in plain text.