Minimal TLS 1.2 for TeamCity

Super great that HTTPS can now easily be configured within the admin section of TeamCity. That saves the hassle of creating keystore files every year.

However it seems to be a regression in security as TLS 1.0 en 1.1 are enabled again. Is there a way to disable them using the new config option?

0
3 comments

It is not currently possible to set the enabled SSL protocols from the Administration | HTTPS Settings menu. However, you can add the property protocols="<desired ssl protocols>" to your connector in <teamcity home directory>/conf/server.xml. Please refer to the Tomcat Documentation for details on this property. After adding the property, TeamCity will pick up the setting on the next restart.

Even though the capability is available to configure HTTPS through the web UI, in most cases it is still recommended to use TeamCity behind a reverse proxy (such as NGINX, Apache, etc...) that would handle HTTPS and use the HTTP TeamCity server port as the upstream. This is because processing HTTPS places an additional load on the server. For additional information, please refer to Configure HTTPS for TeamCity Web UI.

0

Thanks for the reply. I am aware of the Connector element in server.xml. That worked when manually configuring HTTPS. With the new HTTPS configure option (https://www.jetbrains.com/help/teamcity/what-s-new-in-teamcity.html#Easy+HTTPS+access+setup+on+TeamCity+server) I don't see the server.xml is changed but instead <teamcity home directory>\server\config\_https\https-settings seems to be changed. So the real question is how to tighten the TLS versions with this new setup.

0

I've looked into this further and have determined it is not currently possible to specify a protocol using the Administration | HTTPS Settings menu in the web UI. Unfortunately, in order to specify the TLS version, you'll need to continue to use the server.xml method for now.

I have created a feature request for you here: TW-79482. Please take a moment to review the feature request and vote/comment to share your interest in such a feature. By voting on the feature request, you'll automatically be notified of any updates to the request. Additionally, any comments on our YouTrack site go directly to the responsible developer, so it is a great place to provide any additional information specific to your use case.

 

0

Please sign in to leave a comment.