TLS configuration is weak
Categories
(Cloud Services :: Operations: Firefox Profiler, task)
Tracking
(Not tracked)
People
(Reporter: julienw, Assigned: jbuck)
Details
Our TLS configuration supports TLS 1.0 and TLS 1.1 as well as weak ciphers for TLS 1.2. Here is Mozilla own recommendations about TLS configuration that we need to follow.
This happens on both prod and non prod.
|
||
Comment 1•4 years ago
|
||
We aren't able to tweak these in GCP until https://github.com/kubernetes/ingress-gce/issues/246 is fixed. I don't think we need to worry about this, all of our GCP properties have this configuration.
|
||
Comment 2•4 years ago
|
||
It looks like it has been fixed upstream: https://github.com/kubernetes/ingress-gce/issues/246#issuecomment-617991794
Jeremy, for the sake of curiosity, do you any idea what the timeline might be for having it enabled on our side? And if I understand your comment correctly, our configuration as it is should already support it when it is available, is that right?
|
|
||
Comment 3•4 years ago
|
||
I'm not sure what the timeline will be. Judging from their previous releases, I would guess a few months away. Yeah, our configuration will support it once it is available.
|
Reporter | |
Comment 4•4 years ago
|
||
This seems to be available in both regular and stable channels now: https://github.com/kubernetes/ingress-gce/issues/246#issuecomment-711438978
Do you think we can fix this on our server now? As far as I know TLS 1.0/1.1 and the weak ciphers for TLS 1.2 are still present.
Thanks!
|
|
||
Comment 5•3 years ago
|
||
Yes, this is possible to do now. I'll update this to use our standard ssl profile.
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 6•3 years ago
|
||
|
|
Assignee | |
Comment 7•3 years ago
|
||
This has been deployed to production
|
|
Reporter | |
Comment 8•3 years ago
|
||
I can confirm that all 3 servers (prod, stage, dev) are now A+ according to ssllabs!
Thanks a lot!
|
|
Reporter | |
Updated•3 years ago
|
Description
•