TLS cipher settings

ms1111 · April 28, 2022, 7:13pm

What happened?

Hi, I was looking through the reference documentation. Where would I find the server-side TLS settings for Pomerium? For example: minimum TLS version, and allowed ciphers.

I don’t actually need to change the encryption settings. The Pomerium defaults are fine (TLSv1.2, strong ciphers only). But I know our SOC 2 auditor will ask to see them next year, so I may have to make them explicit.

What’s your environment like?

Pomerium version (retrieve with pomerium --version): 0.17.2
Server Operating System/Architecture/Cloud: Ubuntu 20.04

calebdoxsey · April 28, 2022, 7:44pm

We use Envoy for TLS termination with these settings:

github.com

pomerium/pomerium/blob/820be99a2ffe79c0be4c51dd73988d363ab2633c/config/envoyconfig/clusters.go#L274

      
        
            
            
	sni := dst.Hostname()
            	if policy.TLSServerName != "" {
            		sni = policy.TLSServerName
            	}
            	if policy.TLSUpstreamServerName != "" {
            		sni = policy.TLSUpstreamServerName
            	}
            	tlsContext := &envoy_extensions_transport_sockets_tls_v3.UpstreamTlsContext{
            		CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{
            			TlsParams: &envoy_extensions_transport_sockets_tls_v3.TlsParameters{
            				CipherSuites: []string{
            					"ECDHE-ECDSA-AES256-GCM-SHA384",
            					"ECDHE-RSA-AES256-GCM-SHA384",
            					"ECDHE-ECDSA-AES128-GCM-SHA256",
            					"ECDHE-RSA-AES128-GCM-SHA256",
            					"ECDHE-ECDSA-CHACHA20-POLY1305",
            					"ECDHE-RSA-CHACHA20-POLY1305",
            					"ECDHE-ECDSA-AES128-SHA",
            					"ECDHE-RSA-AES128-SHA",
            					"AES128-GCM-SHA256",

ms1111 · April 29, 2022, 2:58am

Thanks! I also found a helpful document under Docs → Community → Security: Security | Pomerium

Topic		Replies	Views
Pomerium v0.23 is here! Announcements announcement , blog	0	520	August 29, 2023
Pomerium is not working Support	1	427	March 13, 2023
Pomerium v0.24 is live! Announcements	1	262	November 20, 2023
Announcing Pomerium v0.27.1 Announcements	0	17	October 1, 2024
Pomerium v0.16 is here! Announcements	0	272	January 12, 2022

TLS cipher settings

What happened?

What’s your environment like?

Related topics