| Table of Contents |
|---|
How to configure
Navigate to bastion installed installation folder - by default c:\agat\Bastion.
There open the file Open Bastion.XML preferable xml, preferably with notepad++ or other text editing software.
...
Once the ciphers and TLS version are properly configured, save the file and restart the Bastion reverse proxy service and it should be applied.
Cipher Syntax explanation
Putting an exclamation mark ( ! ) before a certain cipher will disable use of that particular cipher.
...
The following is an example of a more complex and hardened cipher setting:
| Info | ||
|---|---|---|
| ||
<allowedCiphers>EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:!RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA:!ECDHE-RSA-AES256-SHA!DHE-RSA-AES128-SHA256!DHE-RSA-AES128-GCM-SHA256!DHE-RSA-AES256-SHA256!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA!DHE-RSA-AES128-SHA!AES128-SHA!AES256-SHA:!CAMELLIA256-SHA!CAMELLIA128-SHA:!ECDHE-RSA-AES128-SHA:!SEED-SHA:!IDEA-CBC-SHA:</allowedCiphers> |
The plus ( + ) sign between cipher names refers to ciphers using the combination of all mentioned algorithms.
...
For example !ECDHE-RSA-AES128-SHA will disable the use of the specific cipher - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
List of Cipher Suite Names (IANA) and OpenSSL names can be seen here: https://testssl.sh/openssl-iana.mapping.html
Changing the cipher configuration should also be done according to the minimum allowed version tag <minAllowedVersion> which defines what version of TLS is allowed.
So if the minimum allowed version is tlsv1.2 then there cannot be an allowed cipher which is part of a lower version TLS cipher suite.
Testing
A recommended test would be to use https://www.ssllabs.com/ssltest/ to test the LyncDiscover URL if it is available externally.
...