This topic provides SSL-related information pertaining to the HTTPS communications with the Mail Express Server conducted via the DMZ Gateway. The DMZ Gateway Protocol Handler uses Java-based SSL and as such is configured separately from the default HTTPS listener on port 443. The DMZ Protocol Handler is configured within a Connector element in the <Installation Directory>\conf\server.xml file. The appropriate Connector element can be located in the file by searching for the text protocol="com.globalscape.protocolhandler.DMZProtocolHandler". The supported SSL algorithms have been configured for strong security by default.
To maintain a wider range of compatibility with end-user browsers, the Server will allow a client to initially connect using all supported SSL Protocols. However, the list of allowed SSL Algorithms is limited to a set of stronger TLS 1.0 algorithms.
The supported SSL protocols have been set using the following configuration item:
sslEnabledProtocols=”TLSv1, TLSv1.1, TLSv1.2”
The allowable values for this item are a comma-separated list that includes 1 or more of the following identifiers:
SSLv2Hello
SSLv3
TLSv1
The supported SSL algorithms have been limited to the same set of algorithms provided by the default HTTPS listener, with the exception that the Idea-based algorithm (IDEA-CBC-SHA) is not available for use with the DMZ Protocol Handler.
The SSL Algorithms have been constrained to strong types with the configuration item:
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
(Note: Spaces were added above in the cipher list to allow text wrapping. Do not use spaces in your cipher list.)
For a list of standard algorithm names refer to the Java Cryptography Architecture Standard Algorithm Name Documentation (included in the Security area of the Java API Documentation). Note, however, that not all identifiers included in the standard name list will be supported by the JCE.
The DMZ Protocol Handler is configured to use the same Public Certificate and Private Key used by the default HTTPS listener.