推荐的Traefik TLS密码

时间:2018-09-01 14:20:24

标签: ssl encryption tls1.2 traefik

我正在寻找Traefik中SSL / TLS的推荐配置。我设置了minVersion = "VersionTLS12"来避免使用较弱的较早版本,并找到了supported ciphers in Go。根据{{​​3}}的建议进行交叉核对,得出了以下顺序(顺序很重要): cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" ]

[更新]后来与Mozilla的SSLLabs进行了交叉核对,删除了SHA-1并使用建议的顺序: cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" ]

这有意义吗?我想避免使用弱密码,但为了兼容起见,请尽可能多地使用强密码。

TIA

3 个答案:

答案 0 :(得分:2)

编辑:如下面链接的问题所述,配置生成器已修复。

我在研究Traefik的密码套件时发现了这个问题。因此,供以后参考,以及尝试过发电机但遇到问题的人们:

我找到了Mozilla的ssl-config页面,Rui Martins也提到了该页面。除最后四个条目外,此方法工作正常。

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Traefik未将其识别为有效的密码套件。
我检查了Go文档,发现那里也没有提到密码套件。但是,提到了相对较接近的替代方案:https://godoc.org/crypto/tls#pkg-constants

所以我替换了如下值:

+-----------------------------------------------+----------------------------------------+
| Old Value                                     | New Value                              |
+-----------------------------------------------+----------------------------------------+
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ‎TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 |
+-----------------------------------------------+----------------------------------------+
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   |
+-----------------------------------------------+----------------------------------------+
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384           | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  |
+-----------------------------------------------+----------------------------------------+
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256           | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  |
+-----------------------------------------------+----------------------------------------+

请注意,前两个条目已删除_SHA256,后两个条目已添加EC

这可以正常工作,但不能解决核心问题。由于我对密码套件没有太多的了解或经验,因此我向Mozilla提交了有关他们为Traefik生成ssl-config的错误报告。 (https://github.com/mozilla/ssl-config-generator/issues/52

答案 1 :(得分:1)

看起来不错。我正在运行与更新中相同的配置,根据SSL Labs测试,一切看起来都是安全且兼容的。

答案 2 :(得分:0)

您可以使用此页面来生成您的traefik配置:https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate 

# generated 2019-07-17, https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"

  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      minVersion = "VersionTLS12"
      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
      ]

      [[entryPoints.https.tls.certificates]]
      certFile = "/path/to/signed_cert_plus_intermediates"
      keyFile = "/path/to/private_key"
相关问题
最新问题