我正在寻找Traefik中SSL / TLS的推荐配置。我设置了minVersion = "VersionTLS12"来避免使用较弱的较早版本,并找到了supported ciphers in Go。根据{{3}}的建议进行交叉核对,得出了以下顺序(顺序很重要):
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
]
[更新]后来与Mozilla的SSLLabs进行了交叉核对,删除了SHA-1并使用建议的顺序:
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
这有意义吗?我想避免使用弱密码,但为了兼容起见,请尽可能多地使用强密码。
TIA
答案 0 :(得分:2)
编辑:如下面链接的问题所述,配置生成器已修复。
我在研究Traefik的密码套件时发现了这个问题。因此,供以后参考,以及尝试过发电机但遇到问题的人们:
我找到了Mozilla的ssl-config页面,Rui Martins也提到了该页面。除最后四个条目外,此方法工作正常。
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Traefik未将其识别为有效的密码套件。
我检查了Go文档,发现那里也没有提到密码套件。但是,提到了相对较接近的替代方案:https://godoc.org/crypto/tls#pkg-constants
所以我替换了如下值:
+-----------------------------------------------+----------------------------------------+
| Old Value | New Value |
+-----------------------------------------------+----------------------------------------+
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 |
+-----------------------------------------------+----------------------------------------+
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 |
+-----------------------------------------------+----------------------------------------+
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
+-----------------------------------------------+----------------------------------------+
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
+-----------------------------------------------+----------------------------------------+
请注意,前两个条目已删除_SHA256,后两个条目已添加EC。
这可以正常工作,但不能解决核心问题。由于我对密码套件没有太多的了解或经验,因此我向Mozilla提交了有关他们为Traefik生成ssl-config的错误报告。 (https://github.com/mozilla/ssl-config-generator/issues/52)
答案 1 :(得分:1)
看起来不错。我正在运行与更新中相同的配置,根据SSL Labs测试,一切看起来都是安全且兼容的。
答案 2 :(得分:0)
您可以使用此页面来生成您的traefik配置:https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate
# generated 2019-07-17, https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
]
[[entryPoints.https.tls.certificates]]
certFile = "/path/to/signed_cert_plus_intermediates"
keyFile = "/path/to/private_key"