Skip to content

Latest commit

 

History

History
496 lines (363 loc) · 13.2 KB

ssl-settings.asciidoc

File metadata and controls

496 lines (363 loc) · 13.2 KB

Configure SSL/TLS for standalone {agent}s

SSL/TLS

There are a number of SSL configuration settings available depending on whether you are configuring a client, server, or both. See the following tables for available settings:

Tip
 For more information about using certificates, refer to [secure].
Table 1. Common configuration options
Setting Description

ssl.ca_sha256

(string) This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.

The pin is a base64 encoded string of the SHA-256 of the certificate.

Note
 This check is not a replacement for the normal SSL validation, but it adds additional validation. If this setting is used with verification_mode set to none, the check will always fail because it will not receive any verified chains.

ssl.cipher_suites

(list) The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list.

The following cipher suites are available:

  • ECDHE-ECDSA-AES-128-CBC-SHA

  • ECDHE-ECDSA-AES-128-CBC-SHA256: TLS 1.2 only. Disabled by default.

  • ECDHE-ECDSA-AES-128-GCM-SHA256: TLS 1.2 only.

  • ECDHE-ECDSA-AES-256-CBC-SHA

  • ECDHE-ECDSA-AES-256-GCM-SHA384: TLS 1.2 only.

  • ECDHE-ECDSA-CHACHA20-POLY1305: TLS 1.2 only.

  • ECDHE-ECDSA-RC4-128-SHA: Disabled by default. RC4 not recommended.

  • ECDHE-RSA-3DES-CBC3-SHA

  • ECDHE-RSA-AES-128-CBC-SHA

  • ECDHE-RSA-AES-128-CBC-SHA256: TLS 1.2 only. Disabled by default.

  • ECDHE-RSA-AES-128-GCM-SHA256: TLS 1.2 only.

  • ECDHE-RSA-AES-256-CBC-SHA

  • ECDHE-RSA-AES-256-GCM-SHA384: TLS 1.2 only.

  • ECDHE-RSA-CHACHA20-POLY1205: TLS 1.2 only.

  • ECDHE-RSA-RC4-128-SHA: Disabled by default. RC4 not recommended.

  • RSA-3DES-CBC3-SHA

  • RSA-AES-128-CBC-SHA

  • RSA-AES-128-CBC-SHA256: TLS 1.2 only. Disabled by default.

  • RSA-AES-128-GCM-SHA256: TLS 1.2 only.

  • RSA-AES-256-CBC-SHA

  • RSA-AES-256-GCM-SHA384: TLS 1.2 only.

  • RSA-RC4-128-SHA: Disabled by default. RC4 not recommended.

Here is a list of acronyms used in defining the cipher suites:

  • 3DES: Cipher suites using triple DES

  • AES-128/256: Cipher suites using AES with 128/256-bit keys.

  • CBC: Cipher using Cipher Block Chaining as block cipher mode.

  • ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.

  • ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.

  • GCM: Galois/Counter mode is used for symmetric key cryptography.

  • RC4: Cipher suites using RC4.

  • RSA: Cipher suites using RSA.

  • SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.

ssl.curve_types

(list) The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).

The following elliptic curve types are available:

  • P-256

  • P-384

  • P-521

  • X25519

ssl.enabled

(boolean) Enables or disables the SSL configuration.

Default: true

Note
 SSL settings are disabled if either enabled is set to false or the ssl section is missing.

ssl.supported_protocols

(list) List of allowed SSL/TLS versions. If the SSL/TLS server supports none of the specified versions, the connection will be dropped during or after the handshake. The list of allowed protocol versions include: SSLv3, TLSv1 for TLS version 1.0, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

Default: [TLSv1.1, TLSv1.2, TLSv1.3]
Table 2. Client configuration options
Setting Description

ssl.certificate

(string) The path to the certificate for SSL client authentication. This setting is only required if client_authentication is specified. If certificate is not specified, client authentication is not available, and the connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.

Example:

ssl.certificate: "/path/to/cert.pem"

When this setting is configured, the ssl.key setting is also required.

Specify a path, or embed a certificate directly in the YAML configuration:

ssl.certificate: |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.certificate _authorities

(list) The list of root certificates for verifications (required). If certificate_authorities is empty or not set, the system keystore is used. If certificate_authorities is self-signed, the host system needs to trust that CA cert as well.

Example:

ssl.certificate_authorities: ["/path/to/root/ca.pem"]

Specify a list of files that {agent} will read, or embed a certificate directly in the YAML configuration:

ssl.certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.key

(string) The client certificate key used for client authentication. Only required if client_authentication is configured.

Example:

ssl.key: "/path/to/cert.key"

Specify a path, or embed the private key directly in the YAML configuration:

ssl.key: |
    -----BEGIN PRIVATE KEY-----
    KEY CONTENT APPEARS HERE
    -----END PRIVATE KEY-----

ssl.key_passphrase

(string) The passphrase used to decrypt an encrypted key stored in the configured key file.

ssl.verification _mode

(string) Controls the verification of server certificates. Valid values are:

full

Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.

strict

Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.

certificate

Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.

none

Performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.

Default: full

ssl.ca_trusted _fingerprint

(string) A HEX encoded SHA-256 of a CA certificate. If this certificate is present in the chain during the handshake, it will be added to the certificate_authorities list and the handshake will continue normally.

Example:

ssl.ca_trusted_fingerprint: 3b24d33844d6553...826
Table 3. Server configuration options
Setting Description

ssl.certificate

(string) The path to the certificate for SSL server authentication. If the certificate is not specified, startup will fail.

Example:

ssl.certificate: "/path/to/server/cert.pem"

When this setting is configured, the key setting is also required.

Specify a path, or embed a certificate directly in the YAML configuration:

ssl.certificate: |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.certificate _authorities

(list) The list of root certificates for client verifications is only required if client_authentication is configured. If certificate_authorities is empty or not set, and client_authentication is configured, the system keystore is used. If certificate_authorities is self-signed, the host system needs to trust that CA cert too.

Example:

ssl.certificate_authorities: ["/path/to/root/ca.pem"]

Specify a list of files that {agent} will read, or embed a certificate directly in the YAML configuration:

ssl.certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    CERTIFICATE CONTENT APPEARS HERE
    -----END CERTIFICATE-----

ssl.client_ authentication

(string) Configures client authentication. The valid options are:

none

Disables client authentication.

optional

When a client certificate is supplied, the server will verify it.

required

Requires clients to provide a valid certificate.

Default: required (if certificate_authorities is set); otherwise, none

ssl.key

(string) The server certificate key used for authentication (required).

Example:

ssl.key: "/path/to/server/cert.key"

Specify a path, or embed the private key directly in the YAML configuration:

ssl.key: |
    -----BEGIN PRIVATE KEY-----
    KEY CONTENT APPEARS HERE
    -----END PRIVATE KEY-----

ssl.key_passphrase

(string) The passphrase used to decrypt an encrypted key stored in the configured key file.

ssl.renegotiation

(string) Configures the type of TLS renegotiation to support. The valid options are:

never

Disables renegotiation.

once

Allows a remote server to request renegotiation once per connection.

freely

Allows a remote server to request renegotiation repeatedly.

Default: never

ssl.verification _mode

(string) Controls the verification of client certificates. Valid values are:

full

Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.

strict

Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. If the Subject Alternative Name is empty, it returns an error.

certificate

Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.

none

Performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.

Default: full