TLS cipher suites

A cipher suite is a set of algorithms used to encrypt network communication. Qlik NPrinting users can customize the list of cipher suites in order to remove those considered not secure by their security protocol.

Qlik NPrinting does not set a specific secure cipher suite as mandatory, in order to guarantee compatibility with different operating systems and platforms.

The new proxy configuration parameter tls.ciphersuites lets you manage a custom set of cipher suites in the Qlik NPrinting proxy.

The proxy configuration files are:

  • %ProgramData%\NPrinting\webconsoleproxy\app.conf
  • %ProgramData%\NPrinting\newsstandproxy\app.conf

These files contain the list of customizable configuration properties, all commented by default. These files do not change when you upgrade to new versions of Qlik NPrinting. Therefore, this configuration property is not immediately visible when you upgrade from older versions. This ensures you do not lose your settings.

Limitations

The Qlik NPrinting proxy supports a limited set of cipher suites. The list may change after a product upgrade in order to include new algorithms or deprecate others.

Some of the supported cipher suites are considered TLS 1.2 unsecure by the HTTP/2 protocol. They must be placed in the list of custom values after any non-blacklisted cipher. Otherwise, the proxy cannot be started, and you will see this error:

"http2: TLSConfig.CipherSuites index %index% contains an HTTP/2-approved cipher suite (%ciphername%), but it comes after unapproved cipher suites.

With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection."

Note that %index% and %ciphername% are variables that will show:

  • %index%: the name of the index.
  • %ciphername%: the name of the cipher suite that caused the issue.

The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (HTTP/2 RFC required) or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (to support ECDSA-only servers) are mandatory. Otherwise the proxy cannot be started, and you will see this error:

http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher.

Supported cipher suites:

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
// RC4-based cipher suites are disabled by default
TLS_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
// black-listed by default
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Accessing the custom cipher suites list

Do the following:

  1. Stop the QlikNPrintingWebEngine service.
  2. To customize the Qlik NPrinting web console, open webconsoleproxy\app.conf. To customize the NewsStand, open newsstandproxy\app.conf.
  3. Uncomment or add tls.ciphersuites.
  4. Enter the comma-separated list of cipher suites to support as value from most to least preferred.
  5. Save the file.
  6. Restart the QlikNPrintingWebEngine service.

Example

Set only the cipher suites considered secure by the RFC 7540 standard.

# set a custom set of supported ciphersuites ordered from most to least preferred
tls.ciphersuites = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"