Changing TLS configuration for backup storage

To filter connections to backup storage, an administrator can configure allowed TLS protocol versions and ciphers.

To restrict the use of TLS 1.0 and 1.1 protocols

Specify the appropriate value in the advanced.min_tls_version parameter in the /etc/vstorage/abgw.config file. The following values are available:

0: Allows 1.0, 1.1, and 1.2 TLS protocol versions
1: Allows 1.1 and 1.2 TLS protocol versions
2: Allows only 1.2 TLS protocol version

For example, to allow using all TLS protocol versions, specify 0 as follows:

advanced.min_tls_version = 0

To accept connections to backup storage only with particular TLS ciphers

Specify them in the advanced.tls_ciphers parameter in the /etc/vstorage/abgw.config file. If a client has none of the specified ciphers, the connection will fail. For the cipher format and full set, refer to the cipher list section in the ciphers manual page.

By default, the following ciphers are used:

ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA

Note the following:

If you specify one cipher (for example, RSA-AES128) and it is not supported, the connection will fail.
If you specify two ciphers (for example, CAMELIA and RSA-AES128) and only one of them is supported (for example, CAMELIA), the connection will be established based on the supported cipher (in this case, CAMELIA).
If you specify an empty value, all connections will fail.

For example, to limit the allowed TLS ciphers only to ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305, specify them separated by colons as follows:

advanced.tls_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305