SSL Termination Security Configuration

Hi. I’ve experimented with the SSL termination feature which works fine.
The problem is there’s no way to configure security - what cipher suites and protocols to accept. I just ran a check from ssllabs.com and got a grade F. The culprits:

This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F.
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.
This server accepts the RC4 cipher, which is weak. Grade capped to B.

It supports SSLv3 which is insecure and a number of weak cipher suites.

Any plans on adding configuration options for this?

Rather than going down the road of adding configuration options to the rancher API for every setting haproxy has one by one, we will probably be doing #1871 to let you inject arbitrary settings.

@alena we should probably have a better default ciphersuite though in the meantime since their default is awful…

@vincent sure, will research for better options, and update the default config

@vincent - that makes sense
@alena - probably the default should be tight, then people can loosen it as they see fit. The current default is in the don’t use this category :smile:

Anyway, I’m getting along by deploying a small nginx proxy for doing the SSL termination and an internal load balancer - a little more work but it works as intended. Working my way towards running rancher in production…

Thank you for your support.

@sdlarsen here is the Rancher github ticket for “insecure ssl” : https://github.com/rancher/rancher/issues/2286. Please feel free to comment on a corresponding PR as well: https://github.com/rancher/cattle/pull/937