Changing the TLS configuration for S3

To filter connections to the object storage service, an administrator can configure allowed TLS protocol versions and ciphers. By default, only TLS protocol version 1.2 is accepted for connections to the S3 cluster. Moreover, only the following ciphers are allowed:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-SHA256
  • AES128-GCM-SHA256

These options are automatically applied to all S3 clusters running Virtuozzo Hybrid Infrastructure 6.2, even if a cluster was created in an earlier version.

After changing the allowed TLS ciphers, you may need to regenerate certificates.

If a client has none of the specified ciphers, the connection will fail and the client will not be able to reach the service.

Prerequisites

To accept connections to object storage with TLS 1.0 and 1.1 protocols

  1. Specify the required TLS protocols, space-separated, in the OSTOR_S3_GW_CUSTOM_SSL_PROTOCOLS parameter in the configuration file /usr/libexec/vstorage-ui-backend/etc/backend.cfg on each management node. For more details on this parameter, refer to the nginx documentation. For example, to enable TLS 1.1 used in earlier versions, specify:

    OSTOR_S3_GW_CUSTOM_SSL_PROTOCOLS = 'TLSv1.1 TLSv1.2'
  2. Restart the backend service:

    # systemctl restart vstorage-ui-backend
  3. In the admin panel, go to the Storage services > S3 > Nodes screen, click Protocol settings, and then click Done to apply your changes.

To accept customer ciphers in object storage

  1. Specify the required ciphers, separated by colons, in the OSTOR_S3_GW_CUSTOM_SSL_CIPHERS parameter in the configuration file /usr/libexec/vstorage-ui-backend/etc/backend.cfg on each management node. For more details on this parameter, refer to the nginx documentation. For example, to enable ciphers used in earlier versions, specify the following:

    OSTOR_S3_GW_CUSTOM_SSL_CIPHERS = 'HIGH:!3DES:!RC4:!aNULL:!MD5:!kEDH'
  2. Restart the backend service:

    # systemctl restart vstorage-ui-backend
  3. In the admin panel, go to the Storage services > S3 > Nodes screen, click Protocol settings, and then click Done to apply your changes.