This section contains special case settings for the server's JSON configuration file (config.server.json) that can be used if needed on a per setting basis.


TLS Policies

By default, the Sandfly server restricts TLS connections to TLS 1.3 cipher suites and a small handful of TLS 1.2 ciphers that SSLLabs does not flag as potentially weak:

  • tls.TLS_AES_128_GCM_SHA256, // TLS 1.3
  • tls.TLS_AES_256_GCM_SHA384, // TLS 1.3
  • tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3
  • sandfly-servertls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, // TLS 1.2
  • tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2
  • tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // TLS 1.2


For compatibility with Internet Explorer on Windows 7 and 8, Sandfly also leaves the following TLS 1.2 cipher enabled:

  • tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA


However, some users may need to access the Sandfly API (or have particularly outdated desktop browser TLS support) from older systems that do not support TLS 1.3 and does not include elliptic curve ciphers in their TLS 1.2 support.


In those cases, beginning with Sandfly version 4.1, there is a disable_strict_tls_policy server configuration option which allows the Sandfly server to use the default Go TLS cipher suite instead of Sandfly's restricted set.


Example of disabling the strict TLS policy in the config.server.json file:

                "options": {
                        "log_level": "info",
                        "disable_strict_tls_policy": true
                }


To complete this change, the sandfly-server container will need to be stopped and restarted after the JSON file was updated and saved. A container restart will not reload the changed configuration file.


# docker stop sandfly-server
sandfly-server
# ./sandfly-setup/start_scripts/start_server.sh
sandfly-server
cc834e81f32f76afc8ff364d50e643eaf2a825b76a14bab72bac26ecfacbc278




Previous
Previous Article:

Next Article:
Next