PR for doc ticket Enforce TLS versions #7277 #7306
Conversation
lizayugabyte
changed the title
docs/content/latest/yugabyte-platform/security/enable-encryption-in-transit.md
Outdated
Show resolved
Hide resolved
docs/content/latest/yugabyte-platform/security/enable-encryption-in-transit.md
Outdated
Show resolved
Hide resolved
| 5. Optionally, set the TLS version for Nginx frontend by using `ssl_protocols` operational directive in the Helm installation, as follows: | ||
|
|
||
| ```sh | ||
| helm install yw-test yugabytedb/yugaware --version 2.3.3 -n yb-platform --wait --set tls.sslProtocols="TLSv1.2 TLSv1.3" |
There was a problem hiding this comment.
for nginx, TLS1.3 is supported.
Please add two more parameters to nginx part.
ssl_protocols TLSv1.2 TLSv1.3; # Tell client which ciphers are available
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; # this is customized and vary from customers security requirement. Some customers don't like 3DES.
There was a problem hiding this comment.
@chirag-yb @ssung-yugabyte Chirag, please confirm that you are okay with the changes that Stanley suggested
There was a problem hiding this comment.
@ssung-yugabyte since we don't support TLS v1.3 in the entire product I recommend not mentioning it anywhere. I would imaging enterprises keeping the same version across the entire platform and not assigning different versions to YB Nginx and YB DBs.
There was a problem hiding this comment.
@iSignal do we support setting ciphers from our helm charts?
There was a problem hiding this comment.
@chirag-yb Would you like me to merge now? Or wait for answer?
There was a problem hiding this comment.
@lizayugabyte Please merge it for now.
* Updated YB Platform files * Deleted refs to TLS 1.3
|
|
||
| ``` | ||
| ssl_protocols = tlsv12 |
There was a problem hiding this comment.
oops, this should have been ssl_protocols = tls12
PR for doc ticket Enforce TLS versions #7277