Date
1 - 2 of 2
Dropping support for old versions of SSL and TLS in HAProxy and Gorouter
|
Shannon Coen
When TLS is enabled on Gorouter (router.enable_ssl: true; false by
default), it will currently accept connections using SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2. The HAProxy in cf-release always has TLS enabled and will accept connections using TLSv1.0, TLSv1.1, or TLSv1.2. For security reasons, we would like to drop support in these components for all versions except TLSv1.2. Please let me know if you have a compelling use case for maintaining support for older versions using a manifest property. I recognize this could be an issue if apps on your deployments of CF must continue supporting clients that do not use TLSv1.2. Thank you, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. |
|
|
|
Shannon Coen
Doesn't sound like there's any issue with our dropping support for old
toggle quoted message
Show quoted text
versions of TLS so we will proceed. We'll also be changing the default ciphers in both HAProxy and Gorouter to the following two, deemed most secure by our security team: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Operators may maintain support for additional ciphers using manifest properties router.cipher_suites and ha_proxy.ssl_ciphers. Please let us know if this change poses a problem for you. Thank you, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Thu, Feb 2, 2017 at 11:09 AM, Shannon Coen <scoen(a)pivotal.io> wrote:
When TLS is enabled on Gorouter (router.enable_ssl: true; false by |
|
|