Adding support for specifying cipher suits #79
Comments
|
Sure, nice feature. A PR would be really appreciated. :) |
|
i'd like to introduce two new ENV vars:
so in most cases, you just set Question: @rawmind0 @wargamez Should we set the intermediate profile as default or nothing at all? Does somebody know what traefiks default ciphersuite is? |
|
Hello, what are the corresponding Traefik settings to Mozilla Modern please ? What are the default ? (all cipher and no minversion ?). Maybe could be added to documentation too as it is security related. Thanks. |
|
Has any of this been added? Can I now use TRAEFIK_HTTPS_PROFILE=modern ? |
In the same way you have added support for minVersion = "VersionTLS12" by being able to set Environment Variable TRAEFIK_HTTPS_MIN_TLS, it would be great if you could add a TRAEFIK_HTTPS_CIPHERS that would add support for specifying an array of cipher suites like
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]
As shown at https://docs.traefik.io/configuration/entrypoints/#specify-minimum-tls-version
A more awesome thing would be to support mozilla recommendations:
https://wiki.mozilla.org/Security/Server_Side_TLS
e.g TRAEFIK_HTTPS_CIPHERS_LEVEL = modern | intermediate| old
The reasoning is that the current defaults is vulnerable to SWEET32 attack, since it includes 3DES ciphers.
Ref: nmap -sV --script ssl-enum-ciphers -p 443 yourhostbehindtraefik.com
Thanks,
/E
The text was updated successfully, but these errors were encountered: