KB Article #180883
Transfer Site Advanced SSL settings management
Problem
This article outlines how the Advanced SSL Settings in a Transfer Site work.
As of ST version 5.4 Patch 5, administrators are able to configure the TLS/SSL settings for AS2, FTP, HTTPS, SFTP and PESIT Sites on per Transfer Site basis. The new settings are enabled by clicking on the Show Advanced SSL settings checkbox in the Site and open up the additional fields - Cipher Suites, Enabled SSL protocols or Key exchange algorithms for SSH.
The design of this feature introduced a change in the behavior of ST up to this point. Previously, all Transfer Sites used the globally-defined configuration for these settings and a change in the global configuration affected all Transfer Sites.
The new feature works differently, as described below:
1. When a Transfer Site is created, it will automatically inherit the current values of the global TLS/SSL settings for the respective protocol defined in the Server Configuration page. For example for a PeSIT Transfer Site protocol that would be Pesit.SIT.Ciphers
and Pesit.SIT.enabledProtocols
.
2. As soon as the new Transfer Site is created, its TLS/SSL settings become independent from the global settings and are only managed locally, in the Transfer Site. This means:
If you want to update any of the SSL settings, you have to do it for each Transfer Site.
Updating the global SSL settings in Server Configuration will not update the settings in the existing Transfer Sites. This is in order to avoid overwriting what the administrators have already configured for the Transfer Sites.
After updating the global settings, the updated global values in Server Configuration will only apply for the Transfer Sites which will be created after this point.
The advantage of the new design of the feature is that it gives you more flexible control over the TLS/SSL setting in each Site. The disconnected global and Site values also prevent accidentally overwriting a Site's configuration by updating the global configuration.
However, one major disadvantage of this is that if the ST admins need to update the settings for many Transfer Sites, they will need to update them for each Site separately.
Fortunately, there is a workaround for a bulk update of many Transfer Sites.
Export all accounts in an XML file.
Edit the XML file and replace the following attributes with your updated values:
cipherSuites
protocols
allowedMacs
keyExchangeAlgorithms
publickeys
Import back the XML, overwriting the accounts and Sites with the updated ones.
In addition, the following SQL query can be used to find out which Transfer Sites use local SSL/TLS settings:
SELECT Account.name AS AccountName, Site.name AS TransferSite, Site.protocol AS Protocol, CustomProperties.name AS Parameter, CustomProperties.value AS Value FROM Site LEFT JOIN Account ON Site.accountId=Account.id INNER JOIN CustomProperties ON Site.customAttributesId=CustomProperties.customAttributesId WHERE CustomProperties.name='allowedMacs' OR CustomProperties.name='keyExchangeAlgorithms' OR CustomProperties.name='cipherSuites' OR CustomProperties.name='publicKeys' OR CustomProperties.name='protocols';