You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficcontrol.apache.org by Shmulik Asafi <sh...@qwilt.com> on 2017/08/08 06:26:51 UTC
Traffic Control SSL Cipher Suites and Best Practice
Hello,
We're working on tightening our SSL cipher suites for TC installation and I
have two broad questions in this regard:
1 - What are the recommendations on enabled TLS protocols and cipher suites
for the control plane components (e.g. Traffic Ops) and for the data plane
components (i.e. Traffic Router and caches)? I assume the data plane must
be looser to handle older clients, but would really appreciate actual
practices you have in the field for TC. Also, does the default meet those
recommendations?
2 - What's the proper way to configure this in the different components in
case we want to move from the defaults?
Thanks!
--
*Shmulik Asafi*
Re: Traffic Control SSL Cipher Suites and Best Practice
Posted by Dave Neuman <ne...@apache.org>.
>
> Do you happen to know if these cipher settings correspond to any kind of
> security standard (e.g. OWASP recommendations
> <https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#SSL_vs._TLS> or
> the like)?
>
Not on purpose :)
On Thu, Aug 10, 2017 at 12:53 AM, Shmulik Asafi <sh...@qwilt.com> wrote:
> Thanks Dave!
>
> Seems like a complete answer, didn't test it yet :)
>
> Do you happen to know if these cipher settings correspond to any kind of
> security standard (e.g. OWASP recommendations
> <https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#SSL_vs._TLS> or
> the like)?
>
> Thanks again!
>
>
>
> On Tue, Aug 8, 2017 at 4:43 PM, Dave Neuman <ne...@apache.org> wrote:
>
>> Hey Shmulik,
>> I put my responses inline. Hopefully someone will correct me if I got
>> something wrong.
>> Let me know if you have more questions.
>> Thanks,
>> Dave
>>
>> On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <sh...@qwilt.com>
>> wrote:
>>
>> Hello,
>>>
>>> We're working on tightening our SSL cipher suites for TC installation
>>> and I have two broad questions in this regard:
>>>
>>> 1 - What are the recommendations on enabled TLS protocols and cipher
>>> suites for the control plane components (e.g. Traffic Ops) and for the data
>>> plane components (i.e. Traffic Router and caches)? I assume the data plane
>>> must be looser to handle older clients, but would really appreciate actual
>>> practices you have in the field for TC. Also, does the default meet those
>>> recommendations?
>>>
>> [DN] The cipher suites for TO are defined in the connection string the
>> cdn.conf file. It looks like the default is
>> ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED
>> We use the default Java cipher suites for TR. You can find that list
>> here: https://docs.oracle.com/javase/8/docs/technotes/guides/
>> security/SunProviders.html
>> The cipher suites for ATS are defined in a param called CONFIG
>> proxy.config.ssl.server.cipher_suite . It looks like the default are:
>>
>> { "config_file": "records.config", "name": "CONFIG
>> proxy.config.ssl.server.cipher_suite", "value": "STRING
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>> E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA25
>> 6:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:
>> ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:
>> DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2" },
>>
>>
>>> 2 - What's the proper way to configure this in the different components
>>> in case we want to move from the defaults?
>>>
>> [DN]
>> For TO I think all you need to do is change the ciphers param on the
>> connection string.
>> For TR you will need to add a ciphers configuration to the server.xml.
>> More information here: https://tomcat.apache.org/tomc
>> at-8.5-doc/config/http.html
>> For ATS all you should need to do is update the param I listed above.
>>
>>
>>> Thanks!
>>>
>>> --
>>> *Shmulik Asafi*
>>>
>>>
>>
>
>
>
> --
> *Shmulik Asafi*
> Qwilt | Work: +972-72-2221692 <+972%2072-222-1692>| Mobile:
> +972-54-6581595 <+972%2054-658-1595>| shmulika@qwilt.com <yo...@qwilt.com>
>
Re: Traffic Control SSL Cipher Suites and Best Practice
Posted by Shmulik Asafi <sh...@qwilt.com>.
Thanks Dave!
Seems like a complete answer, didn't test it yet :)
Do you happen to know if these cipher settings correspond to any kind of
security standard (e.g. OWASP recommendations
<https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#SSL_vs._TLS>
or
the like)?
Thanks again!
On Tue, Aug 8, 2017 at 4:43 PM, Dave Neuman <ne...@apache.org> wrote:
> Hey Shmulik,
> I put my responses inline. Hopefully someone will correct me if I got
> something wrong.
> Let me know if you have more questions.
> Thanks,
> Dave
>
> On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <sh...@qwilt.com> wrote:
>
> Hello,
>>
>> We're working on tightening our SSL cipher suites for TC installation and
>> I have two broad questions in this regard:
>>
>> 1 - What are the recommendations on enabled TLS protocols and cipher
>> suites for the control plane components (e.g. Traffic Ops) and for the data
>> plane components (i.e. Traffic Router and caches)? I assume the data plane
>> must be looser to handle older clients, but would really appreciate actual
>> practices you have in the field for TC. Also, does the default meet those
>> recommendations?
>>
> [DN] The cipher suites for TO are defined in the connection string the
> cdn.conf file. It looks like the default is ciphers=AES128-GCM-SHA256:
> HIGH:!RC4:!MD5:!aNULL:!EDH:!ED
> We use the default Java cipher suites for TR. You can find that list here:
> https://docs.oracle.com/javase/8/docs/technotes/
> guides/security/SunProviders.html
> The cipher suites for ATS are defined in a param called CONFIG
> proxy.config.ssl.server.cipher_suite . It looks like the default are:
>
> { "config_file": "records.config", "name": "CONFIG
> proxy.config.ssl.server.cipher_suite", "value": "STRING
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-
> SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-
> AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-
> SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2" },
>
>
>> 2 - What's the proper way to configure this in the different components
>> in case we want to move from the defaults?
>>
> [DN]
> For TO I think all you need to do is change the ciphers param on the
> connection string.
> For TR you will need to add a ciphers configuration to the server.xml.
> More information here: https://tomcat.apache.org/
> tomcat-8.5-doc/config/http.html
> For ATS all you should need to do is update the param I listed above.
>
>
>> Thanks!
>>
>> --
>> *Shmulik Asafi*
>>
>>
>
--
*Shmulik Asafi*
Qwilt | Work: +972-72-2221692| Mobile: +972-54-6581595| shmulika@qwilt.com
<yo...@qwilt.com>
Re: Traffic Control SSL Cipher Suites and Best Practice
Posted by Dave Neuman <ne...@apache.org>.
Hey Shmulik,
I put my responses inline. Hopefully someone will correct me if I got
something wrong.
Let me know if you have more questions.
Thanks,
Dave
On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <sh...@qwilt.com> wrote:
Hello,
>
> We're working on tightening our SSL cipher suites for TC installation and
> I have two broad questions in this regard:
>
> 1 - What are the recommendations on enabled TLS protocols and cipher
> suites for the control plane components (e.g. Traffic Ops) and for the data
> plane components (i.e. Traffic Router and caches)? I assume the data plane
> must be looser to handle older clients, but would really appreciate actual
> practices you have in the field for TC. Also, does the default meet those
> recommendations?
>
[DN] The cipher suites for TO are defined in the connection string the
cdn.conf file. It looks like the default is
ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED
We use the default Java cipher suites for TR. You can find that list here:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
The cipher suites for ATS are defined in a param called CONFIG
proxy.config.ssl.server.cipher_suite . It looks like the default are:
{ "config_file": "records.config", "name": "CONFIG
proxy.config.ssl.server.cipher_suite", "value": "STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2"
},
> 2 - What's the proper way to configure this in the different components in
> case we want to move from the defaults?
>
[DN]
For TO I think all you need to do is change the ciphers param on the
connection string.
For TR you will need to add a ciphers configuration to the server.xml. More
information here: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
For ATS all you should need to do is update the param I listed above.
> Thanks!
>
> --
> *Shmulik Asafi*
>
>