VERIFIED SOLUTION i
X

TLS/SSL support changes in Vault 7.4.1.9

UPDATED: October 2, 2017


TLS/SSL support changes in Vault 7.4.1.9

With this release, TLS and SSL support in the Vault core executables has been tightened in accordance with current suggested best practices for encrypted communications. The changes are:

  1. SSL 2, SSL 3 are now disabled.

  1. TLS 1.0 and TLS 1.1 are disabled by default but can controlled with the following settings in the executables ini file (e2serverd.ini, e2renderd.ini, e2loaderd.ini or e2routerd.ini)

[server1] / [connection1]

sslallowtls1=1 (allow TLS 1.0 if set to 1)

sslallowtls11=1 (allow TLS 1.1 if set to 1)

sslallowtls12=1 (allow TLS 1.2 if set to 1)
 

  1. The negotiation between the server and the client for a cipher suite now follows the server's preference by default. This can be controlled with the sslpreferserver setting in the executables ini file (e2serverd.ini, e2renderd.ini, e2loaderd.ini or e2routerd.ini).

Example:

[server1] / [connection1]

sslpreferserver=1

Setting sslpreferserver=0 will cause the client cipher suite to take precedence.
 

  1. The default list of cipher suites has been tightened to the Mozilla Modern compatibility list (see table below).

see https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

OpenSSL Cipher Suite Name

RFC/IANA Cipher Suite Name

 

 

ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

ECDHE-RSA-CHACHA20-POLY1305

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES256-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-ECDSA-AES128-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  1. The list of available ciphers can now be controlled by explicitly setting a cipher list using the sslcipherlist setting in the executables ini file (e2serverd.ini, e2renderd.ini, e2loaderd.ini or e2routerd.ini)

sslcipherlist=CIPHER1:CIPHER2:…

For example:

[server1] / [connection1]

sslcipherlist=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384

Note: If TLS1.0 or TLS 1.1 is enabled, set an empty cipherlist with “sslcipherlist=” to use the default list for TLS 1.0 or TLS 1.1


Downloads

  • No Downloads