How do I configure which ciphers/hashes/macs/etc. that my Diplomat software uses when initiating SSL- or SSH-based communications?
Overview
For Diplomat MFT Enterprise and Standard Editions v8.1.1 and later, you can specify cryptography options in a “properties” text file with name/value pairs expanded or limited as desired. When Diplomat executes any transaction with a source or destination that uses SSL/TLS or SSH, it will consult the properties file for the chosen configuration for these values. If no properties file is present, Diplomat will use default values.
Limiting options may impact compatibility with legacy systems, while expanding options may introduce security concerns with weak or deprecated cryptography. Any changes must be well-considered, and edits must be carefully made.
Once you have successfully saved any changes, you must stop and restart the Diplomat MFT service for the new settings to take effect.
File Location
Diplomat looks for the file diplomat.custom.properties in its DiplomatData folder, which by default for Windows installations is C:\ProgramData\Coviant Software\Diplomat-j (or Diplomat-trial for trial installations).
NO SUCH FILE EXISTS THERE BY DEFAULT. However, for the sake of convenience the Diplomat MFT installer does deploy this file with default values into C:\Program Files\Coviant Software\Diplomat-j (or Diplomat-trial) for you to copy to the correct folder and edit as needed. Alternatively, you can download the file from this article attachment and save it directly to the proper folder for editing (rename the attachment to remove the “.txt” extension).
The file provided includes a complete listing of all available options in commented lines. Commented lines start with the comment character #, and are ignored by the configuration reader. To edit the file, remove the comment character from the lines of items you want to enable, or add the comment character in front of the lines you want to disable.
Diplomat MFT 9.1 Update
As of Diplomat MFT 9.1.1 Build 20230216, the SSH library was updated and we no longer use the ssh.enabledSignature.sftp option in the diplomat.custom.properties file. Instead, use the ssh.enabledKeyAlgorithms.sftp. This value controls the supported Host Key algo
Example
Here is an example for the diplomat.custom.properties file in which we set only strong RSA, AES, and SHA-2 cryptography for the SFTP transport for all such file transfers:
ssh.enabledKEX.sftp=diffie-hellman-group-exchange-sha256 ssh.enabledCipher.sftp=aes256-ctr ssh.enabledMAC.sftp=hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com ssh.enabledCompression.sftp=zlib@openssh.com zlib none ssh.enabledKeyAlgorithms.sftp=rsa-sha2-512 rsa-sha2-256 ssh-rsa