Introduction
This arctile is to describe how to load custom TLS/SSL configuration.
MuleSoft Runtime comes with default tls configuration, namely tls-default.conf. Actually, there are 3 locations:
./AnypointStudio.app/Contents/Eclipse/plugins/org.mule.tooling.server.3.8.0.ee_6.0.0.201605131244/mule/conf/tls-default.conf ./AnypointStudio.app-not-working/Contents/Eclipse/plugins/org.mule.tooling.apigateway.2.2.0_2.2.0.201603300158/mule/conf/tls-default.conf ./AnypointStudio.app-not-working/Contents/Eclipse/plugins/org.mule.tooling.server.3.8.0.ee_6.0.0.201605131244/mule/conf/tls-default.conf
In those files, there is a line line:
enabledProtocols=TLSv1.1,TLSv1.2In the local or on-premise environment, we can change this file for our purpose, such as, to allow TLSV1. In the CloudHub, we have not control to this file. The solution is to create custom tls configuration file.
Solution
First, add the following line to the mule-app.propertiesmule.security.model=customSecond, create a file, named tls-custom.conf with the content as the following (you can add additional information, this is just an example):
# This file allows to restrict SSL behavior in Mule. If the file doesn't exist or a property is not defined, # default values of the current security provider will be used. # Cipher suites that will be enabled in SSL. If this property is set, SSL sockets will # only use cipher suites that are provided in this list and supported by the current security provider. #enabledCipherSuites=TLS_KRB5_WITH_3DES_EDE_CBC_MD5, \ # TLS_KRB5_WITH_RC4_128_SHA, \ # SSL_DH_anon_WITH_DES_CBC_SHA, \ # TLS_DH_anon_WITH_AES_128_CBC_SHA, \ # TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ # SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, \ # SSL_RSA_EXPORT_WITH_RC4_40_MD5, \ # SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, \ # TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ # TLS_KRB5_WITH_3DES_EDE_CBC_SHA, \ # SSL_RSA_WITH_RC4_128_SHA, \ # TLS_KRB5_WITH_DES_CBC_MD5, \ # TLS_KRB5_EXPORT_WITH_RC4_40_MD5, \ # TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, \ # SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, \ # TLS_KRB5_EXPORT_WITH_RC4_40_SHA, \ # SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, \ # SSL_DHE_DSS_WITH_DES_CBC_SHA, \ # TLS_KRB5_WITH_DES_CBC_SHA, \ # SSL_RSA_WITH_NULL_MD5, \ # TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \ # SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, \ # TLS_RSA_WITH_AES_128_CBC_SHA, \ # SSL_DHE_RSA_WITH_DES_CBC_SHA, \ # TLS_DH_anon_WITH_AES_256_CBC_SHA, \ # TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, \ # SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, \ # SSL_RSA_WITH_NULL_SHA, \ # TLS_KRB5_WITH_RC4_128_MD5, \ # TLS_RSA_WITH_AES_256_CBC_SHA, \ # SSL_RSA_WITH_DES_CBC_SHA, \ # TLS_EMPTY_RENEGOTIATION_INFO_SCSV, \ # SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, \ # SSL_DH_anon_WITH_RC4_128_MD5, \ # SSL_RSA_WITH_RC4_128_MD5, \ # TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \ # SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, \ # SSL_RSA_WITH_3DES_EDE_CBC_SHA # Protocols that will be enabled in SSL. If this property is set, SSL sockets will only use protocols # that are provided in this list and supported by the current security provider. enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
Test It
Run your application in the anypoint studio. In the console, you should see the following:INFO 2016-09-22 15:51:18,443 [main] org.mule.api.security.tls.TlsProperties: Loading configuration file: tls-custom.conf INFO 2016-09-22 15:51:18,593 [main] org.mule.api.security.tls.TlsProperties: Loading configuration file: tls-custom.conf INFO 2016-09-22 15:51:18,613 [main] org.mule.api.security.tls.TlsProperties: Loading configuration file: tls-custom.conf