In certain scenarios, you may want to statically configure the list of TLS cipher suites to be used by the LiveAssurance server in order to restrict the use of specific cipher suites. For example, you may want to restrict medium strength cipher suites and use only a predefined set of strong cipher suites. This can be achieved by explicitly defining the allowed cipher suites, helping to enhance security and meet compliance requirements.
-
Create a
tls.yamlconfiguration file (containing the list of allowed cipher suites) in the/usr/share/indeni-services/traefik/etc/directory, as shown in the following example.tls: certificates: - certFile: "/path/to/my.cert" keyFile: "/path/to/my.key" options: default: # These values apply if no TLS options are defined at the service level. minVersion: TLS1.2 cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256The configuration is hot-reloaded without needing a restart of any services.
-
Verify that only the specified cipher suites are active.
The following example uses
nmapto scan your server for the configured cipher suites:nmap --script ssl-enum-ciphers -p 443 bcia-server-ip-addressThe following is a sample output, where thessl-enum-cipherssection lists the configured TLS versions and cipher suites.PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | compressors: | NULL | cipher preference: client | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | cipher preference: server |_ least strength: A