Re: Dropping support for old versions of SSL and TLS in HAProxy and Gorouter


Shannon Coen
 

Doesn't sound like there's any issue with our dropping support for old
versions of TLS so we will proceed.

We'll also be changing the default ciphers in both HAProxy and Gorouter to
the following two, deemed most secure by our security team:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Operators may maintain support for additional ciphers using manifest
properties router.cipher_suites and ha_proxy.ssl_ciphers.

Please let us know if this change poses a problem for you.

Thank you,

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Thu, Feb 2, 2017 at 11:09 AM, Shannon Coen <scoen(a)pivotal.io> wrote:

When TLS is enabled on Gorouter (router.enable_ssl: true; false by
default), it will currently accept connections using SSLv3, TLSv1.0,
TLSv1.1, or TLSv1.2.

The HAProxy in cf-release always has TLS enabled and will accept
connections using TLSv1.0, TLSv1.1, or TLSv1.2.

For security reasons, we would like to drop support in these components
for all versions except TLSv1.2. Please let me know if you have a
compelling use case for maintaining support for older versions using a
manifest property. I recognize this could be an issue if apps on your
deployments of CF must continue supporting clients that do not use TLSv1.2.

Thank you,

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.