Feature Request: SSL Cipher Selection #535
Comments
|
Sounds ok in principle. Clearly in an environment where upgrading software can be a PITA making things configurable makes it simpler to keep things secure when the current best practices change. But I am not sure that PCI DSS actually requires that cipher suites is configureable by the operator? I have no in depth understanding of PCI DSS compliance so feel free to correct me... In practice for real security I think the most important thing is to ship with a defaults that are secure, I am reasonably sure that the current config scores A on https://www.ssllabs.com/ for example. We should add some test coverage to ensure that the default config is a) secure and b) compliant with PCI and any other relevant standards. |
|
One of the biggest concerns right now for PCI DSS compliance is the ability to disable TLS 1.0 and soon TLS 1.1. We have also received requests from payment gateways to disable suites that use the CBC ciphers. I agree, if the "out of the box" config is secure and compliant, that would be great, however there is a big difference between scoring an "A" on SSLlabs, and being PCI DSS compliant. The other benifit of separating the configuration for SSL out to a configurable state, is that you don't have to be constantly on top of what the current DSS regulations are. |
Many companies require PCI DSS validation. To be able to use Traefik with these applications, we need to be able to selectively disable SSL cipher suites that are not strong enough.
Most "big name" tools have these configuration options:
https://cipherli.st/
The text was updated successfully, but these errors were encountered: