alpine-traefik icon indicating copy to clipboard operation
alpine-traefik copied to clipboard

Published 20 hours ago verified publisher icon rawmind0

Adding support for specifying cipher suits

Open wargamez opened this issue 7 years ago • 5 comments

In the same way you have added support for minVersion = "VersionTLS12" by being able to set Environment Variable TRAEFIK_HTTPS_MIN_TLS, it would be great if you could add a TRAEFIK_HTTPS_CIPHERS that would add support for specifying an array of cipher suites like CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]

As shown at https://docs.traefik.io/configuration/entrypoints/#specify-minimum-tls-version A more awesome thing would be to support mozilla recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS e.g TRAEFIK_HTTPS_CIPHERS_LEVEL = modern | intermediate| old

The reasoning is that the current defaults is vulnerable to SWEET32 attack, since it includes 3DES ciphers.

Ref: nmap -sV --script ssl-enum-ciphers -p 443 yourhostbehindtraefik.com

Thanks, /E

wargamez avatar Feb 13 '18 23:02 wargamez

Sure, nice feature. A PR would be really appreciated. :)

rawmind0 avatar Feb 28 '18 10:02 rawmind0

@rawmind0 @wargamez i'll have a look into this.

justb81 avatar Feb 28 '18 13:02 justb81

i'd like to introduce two new ENV vars:

  • TRAEFIK_HTTPS_PROFILE = modern|intermediate|old, which sets ciphers and mintls according to the mozilla recommendations
  • TRAEFIK_HTTPS_CIPHERS = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, …, which overrides the profile-setting the same way, TRAEFIK_HTTPS_MIN_TLS does

so in most cases, you just set TRAEFIK_HTTPS_PROFILE=modern.

Question: @rawmind0 @wargamez Should we set the intermediate profile as default or nothing at all? Does somebody know what traefiks default ciphersuite is?

justb81 avatar Feb 28 '18 15:02 justb81

Hello, what are the corresponding Traefik settings to Mozilla Modern please ? Are the one specified here corresponding to modern profile ? : https://docs.traefik.io/configuration/entrypoints/#specify-minimum-tls-version If yes it should be added to documentation.

What are the default ? (all cipher and no minversion ?). Maybe could be added to documentation too as it is security related.

Thanks.

Yivan avatar Mar 21 '18 13:03 Yivan

Has any of this been added? Can I now use TRAEFIK_HTTPS_PROFILE=modern ?

wargamez avatar Aug 09 '18 13:08 wargamez