Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Recommended TLS Ciphers for Traefik

Tags:

ssl

encryption

tls1.2

traefik

I'm looking for a recommended configuration for SSL/TLS in Traefik. I have set minVersion = "VersionTLS12" to avoid the weaker older versions and found the supported ciphers in Go. Cross-checking that with the recommendations from SSLLabs I came up with the following sequence (order matters):

cipherSuites = [
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
]

[Update] Later cross-checked with Mozilla's SSL Config Generator, dropping the SHA-1 ones and using the suggested order:

cipherSuites = [
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]

Does that make sense? I want to avoid weak ciphers, but include as many strong ciphers as possible for compatibility.

like image 939
Christof Marti Avatar asked Sep 01 '18 14:09

Christof Marti

People also ask

What TLS ciphers should I use?

Currently, the most secure and most recommended combination of these four is: Elliptic Curve Diffie–Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), AES 256 in Galois Counter Mode (AES256-GCM), and SHA384.

Which TLS ciphers are weak?

Ultimately, it is recommended to configure the server to only support strong ciphers and to use sufficiently large public key sizes. Your organization should avoid TLS versions 1.1 and below and RC4 encryption, as there have been multiple vulnerabilities discovered that render it insecure.

What is Traefik default cert?

Default CertificateTraefik can use a default certificate for connections without a SNI, or without a matching domain. This default certificate should be defined in a TLS store: File (YAML) # Dynamic configuration tls: stores: default: defaultCertificate: certFile: path/to/cert.crt keyFile: path/to/cert.key.

1 Answers

You can use this page to generate your traefik config: https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate

# generated 2019-07-17, https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"

  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
      ]

      [[entryPoints.https.tls.certificates]]
      certFile = "/path/to/signed_cert_plus_intermediates"
      keyFile = "/path/to/private_key"
like image 148
Rui Martins Avatar answered Sep 28 '22 10:09

Rui Martins
Sign in to Comment

Related questions

What is the best practice for auto switching from HTTP to HTTPS
Invalid keystore format with SSL in Tomcat 6
FtpWebRequest "The remote certificate is invalid according to the validation procedure"
Disabling SSL Certificate Validation for Active Directory server using spring-ldap 1.3.1
RabbitMQ: handshake error when attempting to use SSL certificates
Could not create SSL/TLS secure channel for Facebook
node.js - how to check/get ssl certificate expiry date
InsecureRequestWarning + pytest
What happens if I have expired additional certificate in the chain with alternate trust path?
SSL Socket connect timeout
"550 SSL/TLS required on the data channel" using Apache Commons FTPSClient
Remove SSL integration from a specific folder using htaccess
Is there a way to check if the SSL digital certificate is valid without installing on the web server?
Etags and last-modified over https SSL?
Nginx redirect http://www and naked http/https to https://www
what is my openssl and ssl Default CA Certs Path?
Keep getting No X509TrustManager implementation available error when trying to connect to web socket server
Disabling TLSv1.0 in java8
Connecting to FTPS (FTP over SSL) with FluentFTP
Trusted Root Certificates in DotNet Core on Linux (RHEL 7.1)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!