Monday, August 29, 2016

Enable Custom TLS Configuration For Mule Project

Introduction

This arctile is to describe how to load custom TLS/SSL configuration.

MuleSoft Runtime comes with default tls configuration, namely tls-default.conf. Actually, there are 3 locations:

./AnypointStudio.app/Contents/Eclipse/plugins/org.mule.tooling.server.3.8.0.ee_6.0.0.201605131244/mule/conf/tls-default.conf
./AnypointStudio.app-not-working/Contents/Eclipse/plugins/org.mule.tooling.apigateway.2.2.0_2.2.0.201603300158/mule/conf/tls-default.conf
./AnypointStudio.app-not-working/Contents/Eclipse/plugins/org.mule.tooling.server.3.8.0.ee_6.0.0.201605131244/mule/conf/tls-default.conf

In those files, there is a line line:

enabledProtocols=TLSv1.1,TLSv1.2

In the local or on-premise environment, we can change this file for our purpose, such as, to allow TLSV1. In the CloudHub, we have not control to this file. The solution is to create custom tls configuration file.

Solution

First, add the following line to the mule-app.properties
mule.security.model=custom
Second, create a file, named tls-custom.conf with the content as the following (you can add additional information, this is just an example):

# This file allows to restrict SSL behavior in Mule. If the file doesn't exist or a property is not defined,
# default values of the current security provider will be used.


# Cipher suites that will be enabled in SSL. If this property is set, SSL sockets will
# only use cipher suites that are provided in this list and supported by the current security provider.
#enabledCipherSuites=TLS_KRB5_WITH_3DES_EDE_CBC_MD5,        \
#                    TLS_KRB5_WITH_RC4_128_SHA,             \
#                    SSL_DH_anon_WITH_DES_CBC_SHA,          \
#                    TLS_DH_anon_WITH_AES_128_CBC_SHA,      \
#                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,      \
#                    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, \
#                    SSL_RSA_EXPORT_WITH_RC4_40_MD5,        \
#                    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,     \
#                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,      \
#                    TLS_KRB5_WITH_3DES_EDE_CBC_SHA,        \
#                    SSL_RSA_WITH_RC4_128_SHA,              \
#                    TLS_KRB5_WITH_DES_CBC_MD5,             \
#                    TLS_KRB5_EXPORT_WITH_RC4_40_MD5,       \
#                    TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,   \
#                    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, \
#                    TLS_KRB5_EXPORT_WITH_RC4_40_SHA,       \
#                    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,    \
#                    SSL_DHE_DSS_WITH_DES_CBC_SHA,          \
#                    TLS_KRB5_WITH_DES_CBC_SHA,             \
#                    SSL_RSA_WITH_NULL_MD5,                 \
#                    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,      \
#                    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,     \
#                    TLS_RSA_WITH_AES_128_CBC_SHA,          \
#                    SSL_DHE_RSA_WITH_DES_CBC_SHA,          \
#                    TLS_DH_anon_WITH_AES_256_CBC_SHA,      \
#                    TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,   \
#                    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, \
#                    SSL_RSA_WITH_NULL_SHA,                 \
#                    TLS_KRB5_WITH_RC4_128_MD5,             \
#                    TLS_RSA_WITH_AES_256_CBC_SHA,          \
#                    SSL_RSA_WITH_DES_CBC_SHA,              \
#                    TLS_EMPTY_RENEGOTIATION_INFO_SCSV,     \
#                    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,     \
#                    SSL_DH_anon_WITH_RC4_128_MD5,          \
#                    SSL_RSA_WITH_RC4_128_MD5,              \
#                    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,      \
#                    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,     \
#                    SSL_RSA_WITH_3DES_EDE_CBC_SHA


# Protocols that will be enabled in SSL. If this property is set, SSL sockets will only use protocols
# that are provided in this list and supported by the current security provider.
enabledProtocols=TLSv1,TLSv1.1,TLSv1.2

Test It

Run your application in the anypoint studio. In the console, you should see the following:
INFO  2016-09-22 15:51:18,443 [main] org.mule.api.security.tls.TlsProperties: Loading configuration file: tls-custom.conf
INFO  2016-09-22 15:51:18,593 [main] org.mule.api.security.tls.TlsProperties: Loading configuration file: tls-custom.conf
INFO  2016-09-22 15:51:18,613 [main] org.mule.api.security.tls.TlsProperties: Loading configuration file: tls-custom.conf

4 comments:

  1. Hi , is it mandatory to give mule.security.model=custom?

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Where will you keep tls-custom.conf ???

    ~Thanks!

    ReplyDelete
  4. It is so nice blog. I was really satisfied by seeing this blog.
    mulesoft training
    mulesoft online training

    ReplyDelete

Anypoint Studio Error: The project is missing Munit lIbrary to run tests

Anypoint Studio 7.9 has a bug. Even if we following the article: https://help.mulesoft.com/s/article/The-project-is-missing-MUnit-libraries-...