Ambassador: Allow TLS cipher configuration

Created on 31 Aug 2018  路  12Comments  路  Source: datawire/ambassador

Please describe your use case / problem.
Currently, TLS ciphers used by Ambassador cannot be configured. Even with the envoy_override directive, it looks like only routing configuration can be override, while TLS ciphers belong to Envoy's listener configuration.

Describe the solution you'd like
Configuration alongside the TLS certificate configuration

Describe alternatives you've considered
Another Envoy override

Additional context
While the currently used cipher suite still gives a green rating with the Qualys SSL Labs test, some of the ciphers are marked weak already. Furthermore, it is always possible that a cipher may be broken so that the cipher suite needs to be reconfigured quickly.

Most helpful comment

The situation has improved a bit (TLS version can be specified since version 0.61.0, also providing an indirect lever for set of cipher suites), but cipher suites themselves are still not configurable. I continue to think this is an important issue.

All 12 comments

it'd also be nice to be able to set TlsParameters as part of this too. For example, to disable TLS1.0.

The initial report suggests envoy_override-like mechanism to achieve TLS cipher configurability. The overrides have been removed with Ambassador 0.50.0, so I'm retracting this proposal. It looks like a solution would require a new approach.

The initial request states that it does not work with envoy_override, so my understanding is that it wasn't a proposal, but a request.

The ability to remove weak cipher suites and older protocols is something we really need

We'd be happy to take a PR on this. If anyone wants to help, please join the #ambassador-dev channel on Slack. I think the work would proceed in several parts:

  1. Determining what syntax would make sense to expose to Ambassador users.
  2. Figuring out the appropriate Envoy configuration parameters, and mapping the Ambassador syntax to Envoy.
  3. Actually updating the Ambassador code generation to do the right thing.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

The situation has improved a bit (TLS version can be specified since version 0.61.0, also providing an indirect lever for set of cipher suites), but cipher suites themselves are still not configurable. I continue to think this is an important issue.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Still important IMHO.

This is important especially if regulatory requirements force you to use or not use certain cipher suites, regardless of what the SSL lib dev consider best practices.

@cypherfox @MaxWinterstein @peterthomassen we'd welcome a PR!

This is already available in 0.78 right?

Yes it is! Thanks for the catch. 馃檪

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cakuros picture cakuros  路  4Comments

vkamra picture vkamra  路  5Comments

klarose picture klarose  路  5Comments

nilanjan-samajdar picture nilanjan-samajdar  路  4Comments

Viacheslav-Akimov picture Viacheslav-Akimov  路  6Comments