Changing TLS configuration for backup storage
To filter connections to backup storage, an administrator can configure allowed TLS protocol versions and ciphers. By default, only TLS protocol version 1.2 is accepted and recommended to use for connections to backup storage.
To change the default TLS protocol version
Specify the appropriate value in the advanced.min_tls_version
parameter in the /etc/vstorage/abgw.config
file. The following values are available:
- 0: Allows 1.0, 1.1, and 1.2 TLS protocol versions
- 1: Allows 1.1 and 1.2 TLS protocol versions
- 2: Allows only 1.2 TLS protocol version
For example, to allow using all TLS protocol versions, specify 0 as follows:
advanced.min_tls_version = 0
To accept connections to backup storage only with particular TLS ciphers
Specify them in the advanced.tls_ciphers
parameter in the /etc/vstorage/abgw.config file. If a client has none of the specified ciphers, the connection will fail. For the cipher format and full set, refer to the cipher list section in the ciphers manual page.
By default, the following ciphers are used:
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- DHE-RSA-AES128-SHA
- AES128-GCM-SHA256
- AES128-SHA256
- AES128-SHA
Note the following:
- If you specify one cipher (for example, RSA-AES128) and it is not supported, the connection will fail.
- If you specify two ciphers (for example, CAMELIA and RSA-AES128) and only one of them is supported (for example, CAMELIA), the connection will be established based on the supported cipher (in this case, CAMELIA).
- If you specify an empty value, all connections will fail.
For example, to limit the allowed TLS ciphers only to ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305, specify them separated by colons as follows:
advanced.tls_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305