Configuring load balancer TLS ciphers
When terminating TLS on load balancer listeners or enabling TLS for pools, administrators can control the TLS protocol versions and cipher suites used for secure connections. TLS configuration applies only to TLS-enabled resources, such as listeners using the TERMINATED_HTTPS protocol or pools configured for TLS re-encryption.
Load balancers support the OpenSSL cipher string format, for example:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
This format follows the OpenSSL <cipher>:<cipher>:... convention and is commonly used by HAProxy and other TLS-terminating proxies.
You can explicitly specify the TLS protocol version for listeners and TLS-enabled pools. TLSv1.2 is the recommended and supported protocol version.
The following cipher suites are examples commonly used with TLSv1.2:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES128-GCM-SHA256
For TLS re-encryption scenarios, similar TLS cipher and version settings can be applied to TLS-enabled pools. Pool-level configuration controls the TLS connection between the load balancer and backend members, while listener-level configuration controls client-facing TLS behavior.
If TLS ciphers or protocol versions are not explicitly set on a listener or pool, the default values defined in octavia.conf are applied. Listener- or pool-specific settings override global defaults.
Limitations
- Cipher values must be specified using OpenSSL naming. IANA-style cipher names are not supported.
- TLSv1.3 is currently not supported.
Prerequisites
- To configure load balancers as a system or domain administrator, ensure that the environment file for this user is created, as described in Connecting to OpenStack command-line interface.
To configure TLS ciphers and versions for a listener
Use the following command:
openstack loadbalancer listener set --tls-ciphers <tls_ciphers> --tls-version <tls_versions> <listener>
--tls-ciphers <tls_ciphers>- Set the TLS ciphers to be used by the listener in OpenSSL format.
--tls-version <tls_versions>- Set the TLS protocol version to be used by the listener. This option can be specified multiple times.
<listener>- Listener name or ID
For example, to configure the listener lb_listener to use the ECDHE-RSA-AES256-GCM-SHA384 cipher and allow TLSv1.2, run:
# openstack --insecure loadbalancer listener set lb_listener --tls-ciphers ECDHE-RSA-AES256-GCM-SHA384 --tls-version TLSv1.2
To configure TLS ciphers and versions for a pool
Use the following command:
openstack loadbalancer pool set --tls-ciphers <tls_ciphers> --tls-version <tls_versions> <pool>
--tls-ciphers <tls_ciphers>- Set the TLS ciphers to be used by the pool in OpenSSL format.
--tls-version <tls_versions>- Set the TLS protocol version to be used by the pool. This option can be specified multiple times.
<listener>- Pool name or ID
For example, to configure the pool lb_pool to use the ECDHE-RSA-AES256-GCM-SHA384 cipher and allow TLSv1.2, run:
# openstack --insecure loadbalancer pool set lb_pool --tls-ciphers ECDHE-RSA-AES256-GCM-SHA384 --tls-version TLSv1.2
Specifying incorrect, unsupported, or incompatible cipher lists may cause load balancer provisioning to fail. In such cases, the listener or the entire load balancer may enter an 'ERROR' state.
See also