Configuring TLS parameters for object storage
By default, only TLS protocol version 1.2 is accepted for connections to the S3 cluster. Moreover, only the following ciphers are allowed:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA256
- DHE-RSA-AES128-SHA256
- AES128-GCM-SHA256
These options are automatically applied to all S3 clusters running Virtuozzo Hybrid Infrastructure 4.7, even if a cluster was created in an earlier version.
TLS protocol versions for object storage
To accept connections to object storage with TLS 1.0 and 1.1 protocols, do the following:
-
Specify the required TLS protocols, space-separated, in the
OSTOR_S3_GW_CUSTOM_SSL_PROTOCOLS
parameter in the configuration file /usr/libexec/vstorage-ui-backend/etc/backend.cfg on each management node. For more details on this parameter, refer to the nginx documentation. For example, to enable TLS 1.1 used in earlier versions, specify:OSTOR_S3_GW_CUSTOM_SSL_PROTOCOLS = 'TLSv1.1 TLSv1.2'
-
Restart the backend service:
# systemctl restart vstorage-ui-backend
- In the admin panel, go to the Storage services > S3 > Nodes screen, click Protocol settings, and then click Done to apply your changes.
TLS ciphers for object storage
To accept customer ciphers in object storage, do the following:
-
Specify the required ciphers, separated by colons, in the
OSTOR_S3_GW_CUSTOM_SSL_CIPHERS
parameter in the configuration file /usr/libexec/vstorage-ui-backend/etc/backend.cfg on each management node. For more details on this parameter, refer to the nginx documentation. For example, to enable ciphers used in earlier versions, specify the following:OSTOR_S3_GW_CUSTOM_SSL_CIPHERS = 'HIGH:!3DES:!RC4:!aNULL:!MD5:!kEDH'
-
Restart the backend service:
# systemctl restart vstorage-ui-backend
- In the admin panel, go to the Storage services > S3 > Nodes screen, click Protocol settings, and then click Done to apply your changes.