Thanks Dave!

Seems like a complete answer, didn't test it yet :)

Do you happen to know if these cipher settings correspond to any kind of
security standard (e.g. OWASP recommendations
<https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#SSL_vs._TLS>
or
the like)?

Thanks again!



On Tue, Aug 8, 2017 at 4:43 PM, Dave Neuman <neu...@apache.org> wrote:

> Hey Shmulik,
> I put my responses inline. Hopefully someone will correct me if I got
> something wrong.
> Let me know if you have more questions.
> Thanks,
> Dave
>
> On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <shmul...@qwilt.com> wrote:
>
> Hello,
>>
>> We're working on tightening our SSL cipher suites for TC installation and
>> I have two broad questions in this regard:
>>
>> 1 - What are the recommendations on enabled TLS protocols and cipher
>> suites for the control plane components (e.g. Traffic Ops) and for the data
>> plane components (i.e. Traffic Router and caches)? I assume the data plane
>> must be looser to handle older clients, but would really appreciate actual
>> practices you have in the field for TC. Also, does the default meet those
>> recommendations?
>>
> [DN] The cipher suites for TO are defined in the connection string the
> cdn.conf file. It looks like the default is ciphers=AES128-GCM-SHA256:
> HIGH:!RC4:!MD5:!aNULL:!EDH:!ED
> We use the default Java cipher suites for TR. You can find that list here:
> https://docs.oracle.com/javase/8/docs/technotes/
> guides/security/SunProviders.html
> The cipher suites for ATS are defined in a param called CONFIG
> proxy.config.ssl.server.cipher_suite . It looks like the default are:
>
>   { "config_file": "records.config", "name": "CONFIG
> proxy.config.ssl.server.cipher_suite", "value": "STRING
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
> ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-
> SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-
> AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-
> SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2" },
>
>
>> 2 - What's the proper way to configure this in the different components
>> in case we want to move from the defaults?
>>
> [DN]
> For TO I think all you need to do is change the ciphers param on the
> connection string.
> For TR you will need to add a ciphers configuration to the server.xml.
> More information here: https://tomcat.apache.org/
> tomcat-8.5-doc/config/http.html
> For ATS all you should need to do is update the param I listed above.
>
>
>> Thanks!
>>
>> --
>> *Shmulik Asafi*
>>
>> ‚Äč
>



-- 
*Shmulik Asafi*
Qwilt | Work: +972-72-2221692| Mobile: +972-54-6581595| shmul...@qwilt.com
<y...@qwilt.com>

Reply via email to