Configration about TLS
Introduction
tls_rule_conf.data records the tls protocol config
Configuration
Config Item | Description |
---|---|
Version | String Version of configure file |
Config | Object TLS rule config. |
Config{k} | String Unique label |
Config{v} | Object TLS rule detail |
Config{v}.CertName | String Name of server certificate (Note: defined in server_cert_conf.data) |
Config{v}.NextProtos | Object TLS application layer protocol list Default ["http/1.1"] |
Config{v}.NextProtos[] | String TLS application layer protocol (h2, spdy/3.1, http/1.1) |
Config{v}.Grade | String TLS Security grade ( A+, A, B, C) |
Config{v}.ClientAuth | Bool Enable TLS Client Authentication |
Config{v}.ClientCAName | String Name of Client CA certificate |
Config{v}.VipConf | Object Array List of VIPs Note: TLS policy selection is based on VIP |
Config{v}.VipConf[] | String Array VIP |
Config{v}.SniConf | Object Array List of hostnames (optional) |
Config{v}.SniConf[] | String Array Hostname |
DefaultNextProtos | Object Default application layer protocols over TLS |
DefaultNextProtos[] | String TLS application layer protocol (h2, spdy/3.1, http/1.1) |
Example
{
"Version": "20190101000000",
"DefaultNextProtos": ["h2", "http/1.1"],
"Config": {
"example_product": {
"VipConf": [
"10.199.4.14"
],
"SniConf": null,
"CertName": "example.org",
"NextProtos": [
"h2",
"http/1.1"
],
"Grade": "C",
"ClientCAName": ""
}
}
}
Security Grade
BFE supports multiple security grades(A+/A/B/C) for ease of TLS configuration. Security grades vary depending on the protocols and the cipher suites supported.
Grade A+
Supported Protocols | Supported Cipher Suites |
---|---|
TLS1.2 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA |
Grade A
Supported Protocols | Supported Cipher Suites |
---|---|
TLS1.2 TLS1.1 TLS1.0 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA |
Grade B
Supported Protocols | Supported Cipher Suites |
---|---|
TLS1.2 TLS1.1 TLS1.0 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA |
SSLv3 | TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA |
Grade C
Supported Protocols | Supported Cipher Suites |
---|---|
TLS1.2 TLS1.1 TLS1.0 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA |
SSLv3 | TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA |