TLS / SSL Encryption

By default, clients use plaintext over TCP to exchange data with PubSub+ software event brokers and appliances and the data that is exchanged is not compressed or encrypted.

However, event brokers can be configured to allow clients to use Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) encrypted connections when using various messaging protocols, such as SMF, MQTT, AMQP, REST, or the Solace Element Management Protocol (SEMP). To enable this encryption, administrators must set a server certificate and configure specific TCP ports for TLS. PubSub+ Cloudevent broker services use TLS/SSL by default

Using TLS/SSL-encrypted connections to an event broker offers:

  • Confidentiality—Messages cannot be intercepted in transit.
  • Message integrity—Messages cannot be modified or tampered with in transit.
  • Server authentication—The connected application is able to verify the server identity.
  • Client authentication—optional client certificates can be used as a form of client authentication. For more information, see Client Authentication.

The following types of applications can establish TLS/SSL-encrypted connections to an event broker:

  • Client applications that publish and/or receive messages on the event broker message bus.
    Client applications can establish secure TLS/SSL connections to properly configured event brokers using PubSub+ Messaging APIs. This requires:
    1. A trusted server certificate on the event broker.
    2. The appropriate connection URL scheme and port.
    Connection URLs vary by protocol:
    • SMF: tcps://my.broker:55443 (secure) vs tcp://my.broker:55555 (plain)
    • WebSocket: wss://my.broker:443 (secure) vs ws://my.broker:80 (plain)
  • Network management applications that manage and monitor the event broker through SEMP requests and replies.
    • If the network management application uses SEMP Request Over Message Bus service, which uses a PubSub+ Messaging API to establish a client connection, SEMP requests and replies can be sent over the event broker message bus. A secure connection can be established in the same manner as that used by a client application.
    • If the network management application uses SEMP Request over HTTP service, a TCP connection to a port on the event broker allows the application to send SEMP requests wrapped in HTTP to a management interface on the event broker and receive replies to them. For SEMP Request over HTTP service, a secure connection can be created when a server certificate is set on the event broker, a TLS/SSL-secure port is specified (443 by default), and an HTTPS URL scheme is used.

SSL encryption can also be used on Message VPN bridges and bridges established by the Message VPN replication and replication Config-Sync facilities. Using encryption on bridge links helps to ensure that communications between event brokers over bridges are secure.

Because encrypting and decrypting data, and establishing a new secure connection, require processing power, enabling TLS/SSL encryption may cause a reduction in performance and connection rates.

Cipher Suites

The following cryptographic algorithms are used throughout the life of a TLS/SSL‑encrypted connection:

  1. Key establishment—This algorithm is used to exchange or agree on the symmetric keys to be used for encrypting and decrypting the data payload during the session. Examples: RSA, Diffie-Hellman (DH and DHE), and Elliptic Curve Diffie-Hellman (ECDH and ECDHE).
  2. Authentication—This algorithm is the digital signature used to authenticate the server (or client application) by proving possession of the private key matching the certificate presented during connection establishment. Common examples include: Examples: RSA (Rivest-Shamir-Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve Digital Signature Algorithm).
  3. Encryption—This algorithm encrypts and decrypts payload passed on the secure connection. Examples: ChaCha20 and Advanced Encryption Standard (AES).
  4. Digest—This algorithm is used to maintain message integrity. Tampering with the message would render the digest invalid. Example: SHA2.

The combination of these four cryptographic algorithms is known as a cipher suite.

For the full list of cipher suites event brokers support, refer to Supported Cipher Suites.

Cipher Suites for Inbound Connections

Event brokers maintain a separate cipher suite list for each of the following inbound TLS connection types when using TLS 1.2 and earlier:

  • Network management applications using SEMP to manage the event broker (management connections)
  • Client applications connecting to the event broker to publish or receive messages (message backbone connections)

Cipher suites for all inbound management and message backbone connections are selected according to the priority clients associate with each cipher suite.

Cipher Suites for Outbound Connections

Event brokers maintain a separate prioritized cipher suite list for each of the following outbound TLS connection types when using TLS 1.2 and earlier:

  • Message VPN and bridge connections
  • Replication bridge connections
  • Config-sync bridge connections
  • Multi-node routing links

In addition, the event broker uses the same cipher suite list for outbound LDAP connections that it uses for inbound management connections.

Cipher suites for all outbound connections (including LDAP connections) are selected according to the priority configured in each corresponding cipher suite list.

Ciphers for SSH Connections

Event brokers maintain a list of ciphers for all SSH, SCP, and SFTP connections. For purposes of encrypted connections, the cipher list has a similar function to a cipher suite list; however, key establishment, authentication, and digest algorithms are not used. For the full list of ciphers event brokers support, refer to Supported Ciphers.

Ciphers for all SSH connections are selected according to the priority clients associate with each cipher.

Supported Cipher Suites

The following table shows the full list of cipher suites event brokers support for inbound and outbound connections when you use TLS 1.2. For information about cipher suites when you use TLS 1.3, see Supported Cipher Suites when using TLS 1.3. The list is sorted from strongest to weakest.

OpenSSL name IANA name Default Security Policy FIPS Compliant Security Policy

ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Supported

Supported

 

ECDHE-ECDSA-AES128-GCM-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Supported

Supported

 

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Supported

Supported

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported

Supported

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Supported

Supported

AES256-GCM-SHA384

TLS_AES_256_GCM_SHA384

Supported

Not Supported

AES256-SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

Supported

Not Supported

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

Supported

Not Supported

ECDHE-RSA-DES-CBC3-SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Not Supported

Not Supported

DES-CBC3-SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

Not Supported

Not Supported

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Supported

Supported

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Supported

Supported

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Supported

Supported

AES128-GCM-SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

Supported

Not Supported

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

Supported

Not Supported

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

Supported

Not Supported

Installing an ECDSA server certificate will break compatibility with older PubSub+ Messaging API and event broker versions that do not support TLS 1.3. Ensure you update all your event broker instances and client applications to support TLS 1.3 before proceeding.

When using TLS 1.2, certificate keys must be at least 1024 bits in length. When using keys shorter than 1024 bits, you may receive a “digest too big for RSA key” error.

Supported Cipher Suites when using TLS 1.3

TLS 1.3 simplifies cipher suite configuration by using just two components:

  • An AEAD (Authenticated Encryption with Associated Data) algorithm that protects data during transmission
  • A digest algorithm that verifies the security of the initial TLS connection handshake

The following table lists the available TLS 1.3 cipher suites and their corresponding encryption and digest algorithms:

Cipher Suite AEAD Algorithm Digest Algorithm

TLS_AES_256_GCM_SHA384

AES GCM (256)

SHA2

TLS_AES_128_GCM_SHA256

AES GCM (128)

SHA2

TLS_CHACHA20_POLY1305_SHA256

CHACHA20_POLY1305

SHA2

Supported Key Exchange Mechanisms in TLS 1.3

TLS 1.3 uses Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange with the following supported groups:

  • secp256r1
  • secp384r1
  • secp521r1
  • x25519

Supported Authentication Algorithms in TLS 1.3

TLS 1.3 supports two types of authentication algorithms:

  • Elliptic Curve Digital Signature Algorithm (ECDSA)—Using curves:
    • secp256r1
    • secp384r1
    • secp521r1
  • RSA Probabilistic Signature Scheme (RSASSA-PSS)—Using hash functions:
    • SHA-256
    • SHA-384
    • SHA-512

Supported Ciphers

The following table shows the full list of ciphers event brokers support for SSH connections.

Ciphers
Default Security Policy FIPS Compliant Security Policy

aes128-ctr

Supported

Supported

aes192-ctr

Supported

Supported

aes256-ctr

Supported

Supported

aes128-gcm@openssh.com

Supported

Not Supported

aes256-gcm@openssh.com

Supported

Not Supported

Configuring Cipher and Cipher Suite Lists

For connections using TLS 1.2 and earlier, you can configure each default cipher and cipher suite list to avoid using specified ciphers or cipher suites, or you can reorder each list to change the priority associated with a given cipher or cipher suite. When you use TLS 1.3, cipher suites are predefined by the protocol and cannot be configured in this way.

To configure cipher suite lists for inbound connections, refer to Configuring Cipher Suites for Inbound Connections.

To configure cipher suite lists for outbound connections, refer to the following sections:

To configure ciphers for SSH connections, refer to Configuring Ciphers for SSH Connections.

Supported Signature Algorithms

An event broker can validate a certificate chain if all certificates in the chain are signed with one of the following signature algorithms:

TLS 1.2 Supported Signature Algorithms

Signature Algorithm Default Security Policy FIPS Compliant Security Policy

md2withRSAEncryption

md4withRSAEncryption

md5withRSAEncryption

Supported

Not Supported

shawithRSAEncryption

sha1withRSAEncryption

sha1withDSAEncryption

Supported

Not Supported

sha224withRSAEncryption

Supported

Supported (key must be greater than or equal to 2048 bits)

sha224withDSAEncryption

Supported

Not Supported

sha256withRSAEncryption

Supported

Supported (key must be greater than or equal to 2048 bits)

sha256withDSAEncryption

Supported

Not Supported

sha384withRSAEncryption

Supported

Supported (key must be greater than or equal to 2048 bits)

sha512withRSAEncryption

Supported

Supported (key must be greater than or equal to 2048 bits)

sha224WithECDSAEncryption

sha256WithECDSAEncryption

sha384WithECDSAEncryption

sha512WithECDSAEncryption

Supported

Supported

TLS 1.3 Supported Signature Algorithms

Signature Algorithm Hex Code Default Security Policy FIPS Compliant Security Policy

ecdsa_secp256r1_sha256

0x0403

Supported

Supported

ecdsa_secp384r1_sha384

0x0503

Supported

Supported

ecdsa_secp521r1_sha512

0x0603

Supported

Supported

rsa_pss_pss_sha256

0x0809

Supported

Supported

rsa_pss_rsae_sha256

0x0804

Supported

Supported

rsa_pss_pss_sha384

0x080a

Supported

Supported

rsa_pss_rsae_sha384

0x0805

Supported

Supported

rsa_pss_pss_sha512

0x080b

Supported

Supported

rsa_pss_rsae_sha512

0x0806

Supported

Supported

rsa_pkcs1_sha256

0x0401

Supported

Supported

rsa_pkcs1_sha384

0x0501

Supported

Supported

rsa_pkcs1_sha512

0x0601

Supported

Supported

Installing an ECDSA server certificate will break compatibility with older versions of the PubSub+ Messaging APIs and event broker versions that do not support TLS 1.3. Ensure you update all your event broker instances and client applications to support TLS 1.3 before proceeding.

Server Certificates Authentication Process

The following process is used when a client or management application connects to an event broker and requires certificate validation to establish a secure connection.

  1. The client or management application connects to the event broker’s TLS/SSL listening port.
  2. The event broker responds to the client or management application with its server certificate.
  3. If an Active/Active redundancy configuration is used, each event broker in the redundant pair should have its own server certificate with its own common name. If an Active/Standby redundancy configuration is used, the two mates can share a server certificate that uses the name of the primary event broker as the common name.

  4. The client or management application verifies that the server certificate is valid, is named as expected, and that it was issued by a trusted root certificate.
  5. If the validation succeeds, the client or management application will respond and continue to complete the handshake.

Certificate Authorities

PubSub+ event brokers use three lists of certificate authorities (CA):

  • The standard domain validation list— A pre-populated list of standard, trusted domain validation root certificates used to verify the server name for all outgoing TLS connections, including TLS connections for OCSP requests and to obtain CRLs. Event brokers use a combination of this list and the domain validation list during domain validation. This list cannot be modified, however, you can disable it and use only the domain validation list.
  • The domain validation list— Used to verify the server name for all outgoing TLS connections, including TLS connections for OCSP requests and to obtain CRLs. You can modify the CAs in this list to suit your deployment.
  • The client authentication list— Used to validate client certificates on incoming TLS connections, CRLs, and OCSP responses.

To configure CA lists, refer to Configuring Certificate Authorities.

Certificate Revocation Checking

An event broker can check the revocation status of the certificate that clients use when attempting to authenticate. The certificate revocation is configurable on a per-event broker basis with override options per-Message VPN. You can configure Message VPN overrides to ignore the results of the revocation check or to allow authentication of certificates with unknown revocation status. For more information, see Configuring Message VPN Overrides.

The revocation status of a certificate chain can have one of the following states:

  • Valid—All certificates in the chain have been checked for revocation and for whether they are valid.
  • Unknown—One or more certificate in the chain cannot be verified. It is, however, possible for OCSP to return unknown if the certificate is not revoked and not known to the CA.
  • Revoked—One or more certificate in the chain have been revoked.

With the certificate revocation checking enabled, there are several potential conditions that may lead to the status of a certificate chain to be unknown. The information below describe those conditions when CRL, OCSP, or OCSP-CRL certificate revocation check is enabled:

  • CRL—If a cached copy of the CRL is not available or if the CRL has expired.

  • OCSP—If the event broker does not receive a response from the OCSP responder within the default timeout, or if the response signer is not recognized as a genuine responder. The responder is required to sign the OCSP responder with certificates issued to specific common names and must contain appropriate OCSP flags.

  • OCSP-CRL—When using OCSP-CRL, following conditions may lead to the revocation status of a certificate to be unknown:

    • The OCSP response signer is not recognized as a genuine responder.

    • The event broker does not receive a response from the OCSP responder within the default timeout and a cached copy of the CRL is not available, or if the CRL has expired.

To learn about CRL, OCSP, OCSP-CRL certificate revocation checking, see Certificate Revocation Checking Methods

Clients That Support Certificate Revocation Checking

The following table shows the list of clients that support certificate revocation checking.

Authentication Source Certificate Revocation Checking Supported
SMF client Yes
MQTT client Yes
REST publisher Yes
REST subscriber No
Web Messaging client Yes

For information on certificate revocation configurations, see Configuring Certificate Authorities.

Certificate Revocation Checking Methods

You can configure event brokers to check the revocation status of client certificates using a Certificate Revocation List (CRL), Online Certificate Status Protocol (OCSP), or OCSP-CRL (a combination of both the methods).

CRL

CRLs contain a list of certificates that have been revoked by the issuing CA. The URL to the CAs certificate revocation list is embedded in each certificate. The event broker downloads the CRL from the distribution point and keeps a local copy that it refreshes periodically. To authenticate client certificates, the verifying application uses the CRL URL to download a local copy of the CRL, which it then uses for every revocation check that CA needs to make. The revocation status of all the certificates in the chain and its issuing CA is checked—starting from the last issued certificate—to the root CA itself. If the serial numbers of the certificates do not appear in the CRL, then the certificates pass the revocation check.

During CRL revocation check, the root CA gets two counts because it is checking itself once and checking the CA below in the chain once. All the other CAs get one count because they are only checking the one below them or, in the case of the last CA in the chain, it's checking the client that tried to connect.

To enable CRL certificate revocation checking, see Configuring CRL Certificate Revocation Checking.

OCSP

OCSP allows an event broker to check the revocation status of a single certificate directly with the CA or through a trusted responder (OCSP responder) inside the firewall. The client certificate contains a URL of the issuer of the certificate, which is used to check the revocation status of the certificate. With the OCSP method, each certificate in the chain is verified by sending a request with the certificate’s serial number to an OCSP responder. The responder must reply to indicate if the certificate has been revoked or whether it is valid or unknown.

To enable OCSP certificate revocation checking, see Configuring OCSP Certificate Revocation Checking.

OCSP-CRL

When both the OCSP and CRL certificate revocation checking are used, the revocation status of all the certificates in the chain will be first checked by OCSP. If the result is valid, unknown or revoked, the check is complete. If the OCSP responder returns unknown (response timeout) or unavailable, then the certificate will be checked by the CRL. This process is performed on each certificate in the chain.

To enable OCSP-CRL certificate revocation checking, see Configuring OCSP-CRL Certificate Revocation Checking.