Thanks Dave! Seems like a complete answer, didn't test it yet :)
Do you happen to know if these cipher settings correspond to any kind of security standard (e.g. OWASP recommendations <https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#SSL_vs._TLS> or the like)? Thanks again! On Tue, Aug 8, 2017 at 4:43 PM, Dave Neuman <neu...@apache.org> wrote: > Hey Shmulik, > I put my responses inline. Hopefully someone will correct me if I got > something wrong. > Let me know if you have more questions. > Thanks, > Dave > > On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <shmul...@qwilt.com> wrote: > > Hello, >> >> We're working on tightening our SSL cipher suites for TC installation and >> I have two broad questions in this regard: >> >> 1 - What are the recommendations on enabled TLS protocols and cipher >> suites for the control plane components (e.g. Traffic Ops) and for the data >> plane components (i.e. Traffic Router and caches)? I assume the data plane >> must be looser to handle older clients, but would really appreciate actual >> practices you have in the field for TC. Also, does the default meet those >> recommendations? >> > [DN] The cipher suites for TO are defined in the connection string the > cdn.conf file. It looks like the default is ciphers=AES128-GCM-SHA256: > HIGH:!RC4:!MD5:!aNULL:!EDH:!ED > We use the default Java cipher suites for TR. You can find that list here: > https://docs.oracle.com/javase/8/docs/technotes/ > guides/security/SunProviders.html > The cipher suites for ATS are defined in a param called CONFIG > proxy.config.ssl.server.cipher_suite . It looks like the default are: > > { "config_file": "records.config", "name": "CONFIG > proxy.config.ssl.server.cipher_suite", "value": "STRING > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: > ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM- > SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA- > AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128- > SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2" }, > > >> 2 - What's the proper way to configure this in the different components >> in case we want to move from the defaults? >> > [DN] > For TO I think all you need to do is change the ciphers param on the > connection string. > For TR you will need to add a ciphers configuration to the server.xml. > More information here: https://tomcat.apache.org/ > tomcat-8.5-doc/config/http.html > For ATS all you should need to do is update the param I listed above. > > >> Thanks! >> >> -- >> *Shmulik Asafi* >> >> > -- *Shmulik Asafi* Qwilt | Work: +972-72-2221692| Mobile: +972-54-6581595| shmul...@qwilt.com <y...@qwilt.com>
