IDM

Secure protocol configuration

In IDM 7.4.2 and later, the embedded Jetty web server supports Jetty 12. Future releases of IDM 7.4.x are only compatible with Java 17. Jetty 12 requires this change.

When serving SSL requests, Jetty 12 checks that the incoming host header matches the server certificate’s subject and returns a 400 Bad Request error on a mismatch. If you’re upgrading to IDM 7.4.2 or later, you must ensure your IDM server certificate subject matches the host name used by your deployment.

Learn more in What’s new.

The Jetty configuration for inbound connections to IDM supports a number of protocols and cipher suites.

Enabled protocols are explicitly listed in the includeProtocols list in the conf/jetty.xml file. Only TLSv1.2 and TLSv1.3 are enabled by default:

...
<Array  id= "includedProtocols" type="java.lang.String">
    <!-- Only support TLS v1.2 and v1.3 -->
    <Item>TLSv1.2</Item>
    <Item>TLSv1.3</Item>
</Array>
...

To disable a particular protocol, remove it from the includedProtocols list. To add support for a weaker protocol, add it to the list. For example:

...
<Array  id= "includedProtocols" type="java.lang.String">
    <Item>TLSv1.2</Item>
    <Item>TLSv1.3</Item>
    <Item>SSLv3.0</Item>
</Array>
...

It is highly recommended that you do not enable weaker protocols such as SSL, and TLS versions prior to 1.2. These protocols use outdated algorithms and are generally considered insecure.

Enabled cipher suites for each protocol are listed in the includedCipherSuites list in conf/jetty.xml:

...
<Array id="includedCipherSuites" type="java.lang.String">
   <!-- TLS 1.3 cipher suites -->
   <Item>TLS_AES_128_GCM_SHA256</Item>
   <Item>TLS_AES_256_GCM_SHA384</Item>
   <Item>TLS_CHACHA20_POLY1305_SHA256</Item>

   <!-- TLS 1.2 cipher suites -->
   <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
   <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
   <Item>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</Item>
   <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
   <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
   <Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
   <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
   <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
</Array>
...

To add support for additional cipher suites, add them as <Item>s in this list.