Hey Shmulik,
I put my responses inline. Hopefully someone will correct me if I got
something wrong.
Let me know if you have more questions.
Thanks,
Dave

On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <shmul...@qwilt.com> wrote:

Hello,
>
> We're working on tightening our SSL cipher suites for TC installation and
> I have two broad questions in this regard:
>
> 1 - What are the recommendations on enabled TLS protocols and cipher
> suites for the control plane components (e.g. Traffic Ops) and for the data
> plane components (i.e. Traffic Router and caches)? I assume the data plane
> must be looser to handle older clients, but would really appreciate actual
> practices you have in the field for TC. Also, does the default meet those
> recommendations?
>
[DN] The cipher suites for TO are defined in the connection string the
cdn.conf file. It looks like the default is
ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED
We use the default Java cipher suites for TR. You can find that list here:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
The cipher suites for ATS are defined in a param called CONFIG
proxy.config.ssl.server.cipher_suite . It looks like the default are:

  { "config_file": "records.config", "name": "CONFIG
proxy.config.ssl.server.cipher_suite", "value": "STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2"
},


> 2 - What's the proper way to configure this in the different components in
> case we want to move from the defaults?
>
[DN]
For TO I think all you need to do is change the ciphers param on the
connection string.
For TR you will need to add a ciphers configuration to the server.xml. More
information here: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
For ATS all you should need to do is update the param I listed above.


> Thanks!
>
> --
> *Shmulik Asafi*
>
> ‚Äč

Reply via email to