Security/Server Side TLS: Difference between revisions

Jump to navigation Jump to search

Security/Server Side TLS (view source)

Revision as of 17:24, 16 January 2014

844 bytes removed ,  16 January 2014
m
→‎Zeus (Riverbed Stingray)
Line 314: Line 314:
ELBs support HAproxy's proxy protocol, that removes the need for X-Forwarded-For and operates with a header placed right before the TCP packet. While still in beta, a solution composed of L4 ELBs that send TCP traffic to HAproxy for SSL termination would solve the limitations above.
ELBs support HAproxy's proxy protocol, that removes the need for X-Forwarded-For and operates with a header placed right before the TCP packet. While still in beta, a solution composed of L4 ELBs that send TCP traffic to HAproxy for SSL termination would solve the limitations above.


== Zeus (Riverbed Stingray) ==
== Zeus Load Balancer(Riverbed Stingray) ==
Zeus lacks support for TLS 1.2, Elliptic Curves, AES-GCM and OCSP Stapling.
ZLB supports TLS1.1 and OCSP Stapling. It lacks support for TLS 1.2, Elliptic Curves and AES-GCM.
ZLB takes only one global ciphersuite for all sites it manages. However, the OCSP Stapling setting is configurable per-site.


The recommended prioritization is:
The recommended prioritization is:
Line 323: Line 324:
# AES256-SHA
# AES256-SHA
# RC4-SHA
# RC4-SHA
# DES-CBC3-SHA
# EDH-RSA-DES-CBC3-SHA


While the recommended DH prime size is 2048, problems with client libraries, such as Java 6, make this impossible to deploy for now. Therefore, a DH prime of 1024 bits should be used until all clients are compatible with larger primes.
The following string can be used in the ZLB configuration, under global settings:
 
Zeus uses RSA BSAFE crypto library.
<source lang="bash">
<source lang="bash">
# ./zeus.zxtm -vv | grep ^Crypto
SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
Crypto library          : RSA CryptoC6.4
</source>
</source>
The following ciphersuites are supported by Zeus.
 
<pre>
 
ssl!ssl3_ciphers
While the recommended DH prime size is 2048, problems with client libraries, such as Java 6, make this impossible to deploy for now. Therefore, a DH prime of 1024 bits should be used until all clients are compatible with larger primes.
    This is a list (space, comma or colon separated) of SSL ciphers that will be used with performing SSL decryption or SSL encryption. The order of the supplied list determines the priority of the ciphers for SSL decryption.
    The default order is:
        SSL_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_MD5
        SSL_RSA_WITH_AES_256_CBC_SHA
        SSL_DHE_RSA_WITH_AES_256_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_AES_128_CBC_SHA
        SSL_DHE_RSA_WITH_AES_128_CBC_SHA
    In addition, the following ciphers are supported but disabled by default:
        SSL_RSA_EXPORT_WITH_RC4_56_SHA
        SSL_RSA_EXPORT_WITH_RC4_56_MD5
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_RC4_40_MD5
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_WITH_NULL_SHA
        SSL_RSA_WITH_NULL_MD5
</pre>


== Citrix Netscaler ==
== Citrix Netscaler ==
Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/895429"

Navigation menu