Re: Dropping support for old versions of SSL and TLS in HAProxy and Gorouter

Home Messages Hashtags Subgroups

Shannon Coen #6399 Doesn't sound like there's any issue with our dropping support for old versions of TLS so we will proceed. We'll also be changing the default ciphers in both HAProxy and Gorouter to the following two, deemed most secure by our security team: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Operators may maintain support for additional ciphers using manifest properties router.cipher_suites and ha_proxy.ssl_ciphers. Please let us know if this change poses a problem for you. Thank you, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. toggle quoted message Show quoted text On Thu, Feb 2, 2017 at 11:09 AM, Shannon Coen <scoen(a)pivotal.io> wrote: When TLS is enabled on Gorouter (router.enable_ssl: true; false by default), it will currently accept connections using SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2. The HAProxy in cf-release always has TLS enabled and will accept connections using TLSv1.0, TLSv1.1, or TLSv1.2. For security reasons, we would like to drop support in these components for all versions except TLSv1.2. Please let me know if you have a compelling use case for maintaining support for older versions using a manifest property. I recognize this could be an issue if apps on your deployments of CF must continue supporting clients that do not use TLSv1.2. Thank you, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. attachment.html
More All Messages By This Member

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.