diff --git a/cloudhub/modules/ROOT/pages/_partials/tls-support.adoc b/cloudhub/modules/ROOT/pages/_partials/tls-support.adoc index c1f43acce..5aa570ba3 100644 --- a/cloudhub/modules/ROOT/pages/_partials/tls-support.adoc +++ b/cloudhub/modules/ROOT/pages/_partials/tls-support.adoc @@ -1,13 +1,5 @@ // TLS 1.0 Support //tag::tlsSupport[] -Although TLS 1.0 is not recommended due to security vulnerabilities, -you can enable support if required for communication with legacy clients. -You can enable TLS 1.0 support only on the default SSL endpoint of the DLB. -Enabling TLS 1.0 support applies to the entire DLB, not a single SSL endpoint. - -[IMPORTANT] -For security reasons, do not leave TLS 1.0 enabled. -After you no longer need TLS 1.0, replace the default cipher suite, for example, with `NewDefault`. // end::tlsSupport[] diff --git a/cloudhub/modules/ROOT/pages/dedicated-load-balancer-tutorial.adoc b/cloudhub/modules/ROOT/pages/dedicated-load-balancer-tutorial.adoc index 9e9a03efa..d656ff8c5 100644 --- a/cloudhub/modules/ROOT/pages/dedicated-load-balancer-tutorial.adoc +++ b/cloudhub/modules/ROOT/pages/dedicated-load-balancer-tutorial.adoc @@ -24,7 +24,7 @@ If an application exceeds the rate limit for a shared load balancer, the load ba To perform custom load balancer configuration or have higher rate limit thresholds, you must use a dedicated load balancer. -The shared load balancer supports TLS versions 1.1 and TLS 1.2. +The shared load balancer supports TLS 1.2. == Dedicated Load Balancers diff --git a/cloudhub/modules/ROOT/pages/lb-cert-validation.adoc b/cloudhub/modules/ROOT/pages/lb-cert-validation.adoc index 9ed33ea15..818bf0574 100644 --- a/cloudhub/modules/ROOT/pages/lb-cert-validation.adoc +++ b/cloudhub/modules/ROOT/pages/lb-cert-validation.adoc @@ -183,9 +183,6 @@ Most cipher suites offer forward secrecy. RC4-SHA (supports Internet Explorer 8) For this reason, MuleSoft and Microsoft do not recommend using it. The CloudHub dedicated load balancer supports TLS 1.2. -TLS 1.1 is disabled and is not supported by default. - -Although you can configure TLS 1.0, PCI compliance doesn't accept this protocol because of its significant vulnerabilities. === Display the Default Cipher Suite for a DLB @@ -249,63 +246,6 @@ The output now includes `defaultCipherSuite`: "defaultCipherSuite": "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384" ---- -=== Change the Default Cipher Suite to Support TLS 1.0 - -To support TLS 1.0, change the default cipher suite to `OldDefault`: - -. xref:lb-cert-validation.adoc#prepare-to-manage-certificate-cipher-suites[Prepare to manage certificate cipher suites]. -. xref:lb-cert-validation.adoc#display-the-default-cipher-suite-for-a-dlb[Display the current default cipher suite]. -. Change the default cipher suite: -+ --- - -[source,linenums] ----- -curl -X PATCH https://anypoint.mulesoft.com/cloudhub/api/organizations/myOrgID/vpcs/myVpcID/loadbalancers/myDlbID -H 'Authorization: Bearer myAccessToken' -H 'Content-Type: application/json' -d '[{"op":"replace", "path":"/defaultCipherSuiteName", "value":"OldDefault"}]' | jq ----- - -In the command: - -* `_myOrgID_` is the organization ID. -* `_myVpcID_` is the ID for the VPC. -* `_myDlbID_` is the ID for the DLB. -* `_myAccessToken_` is the access token you generated. -* `OldDefault` is the name of the cipher suite that supports TLS 1.0. --- -. Check the default cipher suite and verify that the output includes the following line: -+ -[source,linenums] ----- -"defaultCipherSuite": "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" ----- - -=== Verify the TLS 1.0 Connection - -After enabling TLS 1.0, test the connection: - -* `openssl` -+ --- -Run this command against the DLB SSL endpoint: - -`openssl s_client -connect _DNS of the SSL endpoint_:443 -tls1` - -* If the output includes the certificate information and the message `Secure Renegotiation IS supported`, TLS 1.0 is supported. - -* If the command returns `write:errno=54`, TLS 1.0 is not supported. --- -* `curl` -+ --- -Run this command against the DLB SSL endpoint: - -`curl -vI --insecure --tlsv1.0 https://_DNS of the SSL endpoint_` - -* If you see the returned results from the backend server or the HTTP error code, TLS 1.0 is supported. - -* If the command returns `curl: (35) Server aborted the SSL handshake`, TLS 1.0 is not supported. --- - == Limitation To use an ECDSA-based authentication cipher, generate the certificate and key pair using an ECDSA-based algorithm and apply the same algorithm to the SSL certificate and key configuration on the DLB. @@ -334,6 +274,3 @@ Because current DLB configuration permits only one type of SSL certificate and k * xref:lb-allowlists.adoc[Allowlists] * xref:lb-mapping-rules.adoc[Mapping Rules] * xref:lb-create-arm.adoc[Create a Load Balancer with Runtime Manager] -* xref:lb-create-arm.adoc#enable-tls-1-0-on-a-dlb-using-runtime-manager[Enable TLS 1.0 on a DLB Using Runtime Manager] -* xref:lb-create-cli.adoc#enable-tls-1-0-on-a-dlb-using-the-cli[Enable TLS 1.0 on a DLB Using the CLI] -* xref:lb-create-api.adoc#enable-tls-1-0-on-a-dlb-using-the-cloudhub-api[Enable TLS 1.0 on a DLB Using the CloudHub API] diff --git a/cloudhub/modules/ROOT/pages/lb-create-api.adoc b/cloudhub/modules/ROOT/pages/lb-create-api.adoc index 96fe8cd37..0170a8aa8 100644 --- a/cloudhub/modules/ROOT/pages/lb-create-api.adoc +++ b/cloudhub/modules/ROOT/pages/lb-create-api.adoc @@ -27,46 +27,6 @@ include::partial$no-rename.adoc[tag=noRenameDLB] The CloudHub DLB name cannot start with `internal-`. Starting the DLB name with `internal-` results in error message: `LB name=internal-dlb-name cannot start with -internal`. -== Enable TLS 1.0 on a DLB Using the CloudHub API - -// TLS 1.0 Support -include::partial$tls-support.adoc[tag=tlsSupport] - -To enable TLS 1.0 support on a DLB using the CloudHub API: - -. Run the following command: -+ --- -[source,linenums] ----- -curl -X PATCH \ - https://anypoint.mulesoft.com/cloudhub/api/organizations/myOrgID/vpcs/myVpcID/loadbalancers/myDlbID \ - -H 'authorization: Bearer myAccessToken' \ - -H 'content-type: application/json' \ - -d '[ - { - "op": "replace", - "path": "/sslEndpoints/0/tlsv1", - "value": "true" - } -]' ----- -In the command: - -* `_myOrgID_` is the organization ID. -* `_myVpcID_` is the ID for the VPC. -* `_myDlbID_` is the ID for the DLB. -* `_myAccessToken_` is the access token you generated. - -The response includes the following: - -`"tlsv1": true,` --- -. Change the default cipher suite to `OldDefault`. -+ -See xref:lb-cert-validation.adoc#change-the-default-cipher-suite-to-support-tls-1-0[Change the Default Cipher Suite to Support TLS 1.0]. - - == See Also * https://anypoint.mulesoft.com/exchange/portals/anypoint-platform/f1e97bc6-315a-4490-82a7-23abe036327a.anypoint-platform/cloudhub-api/1.0.13/console/method/%233964/[CloudHub API Create New Load Balancer] diff --git a/cloudhub/modules/ROOT/pages/lb-create-arm.adoc b/cloudhub/modules/ROOT/pages/lb-create-arm.adoc index 98521388d..9afe7313d 100644 --- a/cloudhub/modules/ROOT/pages/lb-create-arm.adoc +++ b/cloudhub/modules/ROOT/pages/lb-create-arm.adoc @@ -64,10 +64,6 @@ For more information about static IP addresses, see xref:cloudhub-dedicated-load * *Keep URL encoding* specifies that the DLB passes only the `%20` and `%23` characters as is. + If you deselect this option, the DLB decodes the encoded part of the request URI before passing it to the CloudHub worker. -+ -* *Support TLS 1.0* specifies to support TLS 1.0 between the client and the DLB. -+ -To use TLS 1.0, see <>. * *Upstream TLS 1.2* specifies to force TLS 1.2 between the DLB and the upstream CloudHub worker. * *Forward Client Certificate* specifies that the DLB forwards the client certificate to the CloudHub worker. . Add a certificate. @@ -92,18 +88,6 @@ Click *Add New Rule*, and then specify the input path, target app, output path, .. Click *Save Certificate*. . Click *Create Load Balancer*. -== Enable TLS 1.0 on a DLB Using Runtime Manager - -// TLS 1.0 Support -include::partial$tls-support.adoc[tag=tlsSupport] - -To enable TLS support: - -. Select the *Support TLS 1.0* option. -. Using the API, change the default cipher suite to `OldDefault`. -+ -See xref:lb-cert-validation.adoc#change-the-default-cipher-suite-to-support-tls-1-0[Change the Default Cipher Suite to Support TLS 1.0]. - == See Also diff --git a/cloudhub/modules/ROOT/pages/lb-create-cli.adoc b/cloudhub/modules/ROOT/pages/lb-create-cli.adoc index 34cd0008d..4eed301e6 100644 --- a/cloudhub/modules/ROOT/pages/lb-create-cli.adoc +++ b/cloudhub/modules/ROOT/pages/lb-create-cli.adoc @@ -33,29 +33,6 @@ include::partial$no-rename.adoc[tag=noRenameDLB] The CloudHub DLB name cannot start with `internal-`. -== Enable TLS 1.0 on a DLB Using the CLI - -// TLS 1.0 Support -include::partial$tls-support.adoc[tag=tlsSupport] - -To enable TLS 1.0 support on a DLB using the CLI: - -. Run the following command to re-create the SSL endpoint for the _myLB_name_ load balancer and add TLS 1.0 support: -+ -[source,linenums] ----- -cloudhub load-balancer ssl-endpoint add --tlsv1 myLB_name certificateName privateKey ----- -. Run the following command to set _certificateName_ as the default SSL endpoint for the _myLB_name_ load balancer: -+ -[source,linenums] ----- -cloudhub load-balancer ssl-endpoint set-default myLB_name certificateName ----- -. Using the API, change the default cipher suite to `OldDefault`. -+ -See xref:lb-cert-validation.adoc#change-the-default-cipher-suite-to-support-tls-1-0[Change the Default Cipher Suite to Support TLS 1.0]. - == See Also * xref:cloudhub-cli.adoc#cloudhub-load-balancer-create[cloudhub load-balancer create]