<<Previous: SSL Client Protocols | ↑Up: Advanced Walk Settings | Next>>: SSL Use SNI |
Which SSL ciphers to allow for client HTTPS/SSL connections when walking or performing results authorization, i.e. for connections from the Parametric Search Appliance to remote https:// URLs. The default (if empty) is the OpenSSL default list for the current OpenSSL client (Texis) library. Some SSL ciphers may be known to be vulnerable, and administrators may wish to disable them via this setting.
Modifying - specifically, shortening - the cipher list is also a way to connect to long-handshake-intolerant HTTPS servers. These servers cannot handle an SSL ClientHello message longer than 255 bytes, and time out when receiving one (e.g. with Timeout completing SSL handshake ... errors). The default OpenSSL cipher list may cause the ClientHello message to exceed 255 bytes, triggering this intolerance in such servers. By setting a shorter cipher list, the ClientHello message can be shortened and the connection established. Disabling SNI via SSL Use SNI (here) is another way to shorten the ClientHello message.
Note: To change the server-side SSL ciphers accepted by the Parametric Search Appliance - e.g. for admin, search, Dataload etc. - see HTTPS/SSL Ciphers under System Wide Settings.
<<Previous: SSL Client Protocols | ↑Up: Advanced Walk Settings | Next>>: SSL Use SNI |