This section contains special case settings for the server's JSON configuration file (config.server.json) that can be used if needed on a per setting basis.

TLS Policies

By default, the Sandfly server restricts TLS connections to TLS 1.3 cipher suites and a small handful of TLS 1.2 ciphers that SSLLabs does not flag as potentially weak:

  • tls.TLS_AES_128_GCM_SHA256, // TLS 1.3
  • tls.TLS_AES_256_GCM_SHA384, // TLS 1.3
  • tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3
  • sandfly-servertls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, // TLS 1.2
  • tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2
  • tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // TLS 1.2

For compatibility with Internet Explorer on Windows 7 and 8, Sandfly also leaves the following TLS 1.2 cipher enabled:


However, some users may need to access the Sandfly API (or have particularly outdated desktop browser TLS support) from older systems that do not support TLS 1.3 and does not include elliptic curve ciphers in their TLS 1.2 support.

In those cases, beginning with Sandfly version 4.1, there is a disable_strict_tls_policy server configuration option which allows the Sandfly server to use the default Go TLS cipher suite instead of Sandfly's restricted set.

Example of disabling the strict TLS policy in the config.server.json file:

                "options": {
                        "log_level": "info",
                        "disable_strict_tls_policy": true

To complete this change, the sandfly-server container will need to be stopped and restarted after the JSON file was updated and saved. A container restart will not reload the changed configuration file.

# docker stop sandfly-server
# ./sandfly-setup/start_scripts/

Previous Article:

Next Article: