>
> Do you happen to know if these cipher settings correspond to any kind of
> security standard (e.g. OWASP recommendations
> <https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#SSL_vs._TLS>
>  or
> the like)?
>

Not on purpose :)

On Thu, Aug 10, 2017 at 12:53 AM, Shmulik Asafi <shmul...@qwilt.com> wrote:

> Thanks Dave!
>
> Seems like a complete answer, didn't test it yet :)
>
> Do you happen to know if these cipher settings correspond to any kind of
> security standard (e.g. OWASP recommendations
> <https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#SSL_vs._TLS>
>  or
> the like)?
>
> Thanks again!
>
>
>
> On Tue, Aug 8, 2017 at 4:43 PM, Dave Neuman <neu...@apache.org> wrote:
>
>> Hey Shmulik,
>> I put my responses inline. Hopefully someone will correct me if I got
>> something wrong.
>> Let me know if you have more questions.
>> Thanks,
>> Dave
>>
>> On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <shmul...@qwilt.com>
>> wrote:
>>
>> Hello,
>>>
>>> We're working on tightening our SSL cipher suites for TC installation
>>> and I have two broad questions in this regard:
>>>
>>> 1 - What are the recommendations on enabled TLS protocols and cipher
>>> suites for the control plane components (e.g. Traffic Ops) and for the data
>>> plane components (i.e. Traffic Router and caches)? I assume the data plane
>>> must be looser to handle older clients, but would really appreciate actual
>>> practices you have in the field for TC. Also, does the default meet those
>>> recommendations?
>>>
>> [DN] The cipher suites for TO are defined in the connection string the
>> cdn.conf file. It looks like the default is
>> ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED
>> We use the default Java cipher suites for TR. You can find that list
>> here: https://docs.oracle.com/javase/8/docs/technotes/guides/
>> security/SunProviders.html
>> The cipher suites for ATS are defined in a param called CONFIG
>> proxy.config.ssl.server.cipher_suite . It looks like the default are:
>>
>>   { "config_file": "records.config", "name": "CONFIG
>> proxy.config.ssl.server.cipher_suite", "value": "STRING
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH
>> E-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA25
>> 6:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:
>> ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:
>> DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2" },
>>
>>
>>> 2 - What's the proper way to configure this in the different components
>>> in case we want to move from the defaults?
>>>
>> [DN]
>> For TO I think all you need to do is change the ciphers param on the
>> connection string.
>> For TR you will need to add a ciphers configuration to the server.xml.
>> More information here: https://tomcat.apache.org/tomc
>> at-8.5-doc/config/http.html
>> For ATS all you should need to do is update the param I listed above.
>>
>>
>>> Thanks!
>>>
>>> --
>>> *Shmulik Asafi*
>>>
>>> ‚Äč
>>
>
>
>
> --
> *Shmulik Asafi*
> Qwilt | Work: +972-72-2221692 <+972%2072-222-1692>| Mobile:
> +972-54-6581595 <+972%2054-658-1595>| shmul...@qwilt.com <y...@qwilt.com>
>

Reply via email to