Customizing Ciphers

    Your query search resulted in no results.

    Configuring SSL/TLS ciphers

    You can choose which ciphers and SSL/TLS protocols Go will use for communication with agents and users (and their browsers)

    Configuring GoCD server

    Following system properties are exposed to override the default SSL/TLS configuration for Go server:

    Key Default value Description
    go.ssl.ciphers.include null A comma-separated list of cipher suite names (exact or regular expression) to be enabled
    go.ssl.ciphers.exclude null A comma-separated list of cipher suite names (exact or regular expression) to be disabled
    go.ssl.protocols.include null A comma-separated list of SSL/TLS protocols to be enabled
    go.ssl.protocols.exclude null A comma-separated list of SSL/TLS protocols to be disabled
    go.ssl.renegotiation.allowed Y Flag to allow/dis-allow TLS renegotiation, accepts - Y and N

    Setting it up:

    • Linux

      This can be configured through /etc/default/go-server, such as:

      export GO_SERVER_SYSTEM_PROPERTIES="-Dgo.ssl.ciphers.include='TLS_ECDHE.*' -Dgo.ssl.ciphers.exclude='.*NULL.*,.*RC4.*' -Dgo.ssl.protocols.include='TLSv1.2' -Dgo.ssl.protocols.exclude='SSLv3' -Dgo.ssl.renegotiation.allowed='N'"
    • Windows

      Follow the instructions to add a new property for Go server setup on windows, such as:

      wrapper.java.additional.17="-Dgo.ssl.ciphers.include=TLS_ECDHE.*"
      wrapper.java.additional.18="-Dgo.ssl.ciphers.exclude=.*NULL.*,.*RC4.*"
      wrapper.java.additional.19="-Dgo.ssl.protocols.include=TLSv1.2"
      wrapper.java.additional.20="-Dgo.ssl.protocols.exclude=SSLv3"
      wrapper.java.additional.21="-Dgo.ssl.renegotiation.allowed=N"

      Restart server for the changes to take effect.

    Configuring GoCD agent

    The default transport protocol that agent uses to communicate with Go server is TLSv1.2. This can be overridden by configuring property go.ssl.agent.protocol to a suitable value based on your requirements. If your JRE does not support TLSv1.2, set this property as follows:

    • Linux

      This can be configured through /etc/default/go-agent, such as:

      export GO_AGENT_SYSTEM_PROPERTIES="-Dgo.ssl.agent.protocol='SSL'"
    • Windows

      Follow the instructions to add a new property for Go agents setup on windows, such as:

      wrapper.java.additional.17="-Dgo.ssl.agent.protocol='SSL'"

      Restart agent for the changes to take effect.

    Read jetty’s documentation to know more about SSL/TLS configuration.