Skip to main content

TLS cipher suites

A cipher suite is a set of algorithms used to encrypt network communication. Qlik NPrinting components support a variety of cipher suites, to allow for different security protocols.

Qlik NPrinting does not set a specific secure cipher suite as mandatory, in order to guarantee compatibility with different operating systems and platforms.

Qlik NPrinting proxy cipher suites

The proxy configuration parameter tls.ciphersuites lets you manage a custom set of cipher suites in the Qlik NPrinting proxy.

The proxy configuration files are:

  • %ProgramData%\NPrinting\webconsoleproxy\app.conf
  • %ProgramData%\NPrinting\newsstandproxy\app.conf

These files contain the list of customizable configuration properties, all commented by default. These files do not change when you upgrade to new versions of Qlik NPrinting. Therefore, this configuration property is not immediately visible when you upgrade from older versions. This ensures you do not lose your settings.

Limitations

  • The Qlik NPrinting proxy supports a limited set of cipher suites. The list may change after a product upgrade in order to include new algorithms or deprecate others.
  • Some of the supported cipher suites are considered TLS 1.2 unsecure by the HTTP/2 protocol. They must be placed in the list of custom values after any non-blacklisted cipher. Otherwise, the proxy cannot be started, and you will see this error:

    "http2: TLSConfig.CipherSuites index %index% contains an HTTP/2-approved cipher suite (%ciphername%), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection."

  • Note that %index% and %ciphername% are variables that will show:
    • %index%: the name of the index.
    • %ciphername%: the name of the cipher suite that caused the issue.
  • Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (HTTP/2 RFC required) or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (to support ECDSA-only servers) are mandatory. Otherwise the proxy cannot be started, and you will see this error:

    "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher"

Supported cipher suites

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

// RC4-based cipher suites are disabled by default

TLS_RSA_WITH_RC4_128_SHA

TLS_ECDHE_RSA_WITH_RC4_128_SHA

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

// black-listed by default

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Accessing the custom cipher suites list

Do the following:

  1. Stop the QlikNPrintingWebEngine service.
  2. To customize the Qlik NPrinting web console, open webconsoleproxy\app.conf. To customize the NewsStand, open newsstandproxy\app.conf.
  3. Uncomment or add tls.ciphersuites.
  4. Enter the comma-separated list of cipher suites to support as value from most to least preferred.
  5. Save the file.
  6. Restart the QlikNPrintingWebEngine service.

Example

Set only the cipher suites considered secure by the RFC 7540 standard.

# set a custom set of supported ciphersuites ordered from most to least preferred
tls.ciphersuites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

 

Qlik NPrinting messaging service cipher suites

These are the cipher suites supported by Qlik NPrinting messaging service for TLS communication between Qlik NPrinting scheduler service and Qlik NPrinting Engines. They are supported by RabbitMQ and TLS 1.2.

If you want to disable TLS connections with client certificate authentication and use simple authentication, see: Configuring the messaging service for simple authentication.

Limitations

  • Cipher suites for Qlik NPrinting messaging service cannot be customized.

Supported cipher suites

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

Troubleshooting

Qlik NPrinting Designer error "CEF rendering request failed, error: One or more errors occurred."

A report template that contains an image from a Qlik Sense connection fails to preview with the error: "CEF rendering request failed, error: One or more errors occurred."

Possible cause  

The Qlik NPrinting Server has restricted the sets of certificates and cypher suites, which creates rendering issues.

Proposed action  

You need to enable certain cipher suites:

Do the following:

  1. Download IIS Crypto 2.0.
  2. Execute it with admin privileges, and then go to the "Cipher Suites" tab on the left.

    1. The following cipher suites should be enabled. If you cannot see them in the list, click the add button on the right, and type them in.
        1. You must enable at least one of the following on the machine where the Qlik NPrinting Engine or the Qlik NPrinting Server are installed:
          • TLS_RSA_WITH_AES_128_CBC_SHA
          • TLS_RSA_WITH_AES_256_CBC_SHA
          • TLS_RSA_WITH_AES_128_GCM_SHA256
          • TLS_RSA_WITH_AES_256_GCM_SHA384
        2. You must enable at least one of the following on the machine where the Qlik NPrinting Server is installed:
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  3. Click OK, and then Apply.
  4. Reboot the machine.