Changing TLS configuration for backup storage

To filter connections to backup storage, an administrator can configure allowed TLS protocol versions and ciphers. By default, only TLS protocol version 1.2 is accepted and recommended to use for connections to backup storage.

To change the default TLS protocol version

Specify the appropriate value in the advanced.min_tls_version parameter in the /etc/vstorage/abgw.config file. The following values are available:

  • 0: Allows 1.0, 1.1, and 1.2 TLS protocol versions
  • 1: Allows 1.1 and 1.2 TLS protocol versions
  • 2: Allows only 1.2 TLS protocol version

For example, to allow using the 1.1 and 1.2 TLS protocol versions, do the following:

  1. In /etc/vstorage/abgw.config, set the advanced.min_tls_version parameter to 1:

    advanced.min_tls_version=1
  2. Restart the service:

    # systemctl restart vstorage-abgw

This operation should be performed on all backup storage nodes.

To accept connections to backup storage only with particular TLS ciphers

Specify them in the advanced.tls_ciphers parameter in the /etc/vstorage/abgw.config file. For the cipher format and full set, refer to the cipher list section in the ciphers manual page.

After changing the allowed TLS ciphers, you may need to regenerate certificates.

If a client has none of the specified ciphers, the connection will fail and the client will not be able to reach the service.

By default, the following ciphers are used:

  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-SHA
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA

Note the following:

  • If you specify one cipher (for example, RSA-AES128) and it is not supported, the connection will fail.
  • If you specify two ciphers (for example, CAMELIA and RSA-AES128) and only one of them is supported (for example, CAMELIA), the connection will be established based on the supported cipher (in this case, CAMELIA).
  • If you specify an empty value, all connections will fail.

For example, to limit the allowed TLS ciphers only to ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305, do the following:

  1. In /etc/vstorage/abgw.config, specify the required ciphers, separated by colons, in the advanced.tls_ciphers parameter:

    advanced.tls_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
  2. Restart the service:

    # systemctl restart vstorage-abgw

This operation should be performed on all backup storage nodes.