Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 19 additions & 6 deletions docs/src/how-to/install/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,23 +17,36 @@ The following table lists recommended ciphers for TLS server setups, which shoul
| TLS_CHACHA20_POLY1305_SHA256 | TLSv1.3 | no | no | **modern** |

```{note}
If you enable TLSv1.3, openssl does always enable the three default cipher suites for TLSv1.3.
Therefore it is not necessary to add them to openssl based configurations.
If you enable TLSv1.3, OpenSSL does always enable the three default cipher suites for TLSv1.3.
Therefore it is not necessary to add them to OpenSSL based configurations.
```

(ingress-traffic)=

## Ingress Traffic (wire-server)

The list of TLS ciphers for incoming requests is limited by default to the [following](https://github.com/wireapp/wire-server/blob/master/charts/ingress-nginx-controller/values.yaml#L41-45) (for general server-certificates, both for federation and client API), and can be overridden on your installation if needed.
TLS ciphers for incoming requests is by default configured as a [limted set of ciphers](https://github.com/wireapp/wire-server/blob/master/charts/ingress-nginx-controller/values.yaml) (for general server-certificates, both for federation and client API), and can be overridden on your installation if needed.
```{grepinclude} ../charts/ingress-nginx-controller/values.yaml ssl-protocols:
---
lines-before: 0
lines-after: 4
language: yaml
---
```

## Egress Traffic (wire-server/federation)

The list of TLS ciphers for outgoing federation requests is currently hardcoded, the list is [here](https://github.com/wireapp/wire-server/blob/master/services/federator/src/Federator/Remote.hs#L164-L180).
The list of ciphers for outgoing federation requests is currently restricted to a subset of "Wire default" [TLSv1.2 ciphers](https://github.com/wireapp/wire-server/blob/develop/services/federator/src/Federator/Monitor/Internal.hs#L397) in accordance with BSI recommendations. TLSv1.3 is not supported as of yet.
```{grepinclude} ../services/federator/src/Federator/Monitor/Internal.hs blessedTLS12Ciphers =
---
lines-before: 0
lines-after: 6
---
```

## SFTD (ansible)

The list of TLS ciphers for incoming SFT requests (and metrics) are defined in ansible templates [sftd.vhost.conf.j2](https://github.com/wireapp/ansible-sft/blob/develop/roles/sft-server/templates/sftd.vhost.conf.j2#L19) and [metrics.vhost.conf.j2](https://github.com/wireapp/ansible-sft/blob/develop/roles/sft-server/templates/metrics.vhost.conf.j2#L13).
The list of TLS ciphers for incoming SFT requests (and metrics) are defined in ansible templates [sftd.vhost.conf.j2](https://github.com/wireapp/ansible-sft/blob/develop/roles/sft-server/templates/sftd.vhost.conf.j2#L23) and [metrics.vhost.conf.j2](https://github.com/wireapp/ansible-sft/blob/develop/roles/sft-server/templates/metrics.vhost.conf.j2#L17).

## SFTD (kubernetes)

Expand All @@ -42,7 +55,7 @@ Kubernetes based deployments make use of the settings from {ref}`ingress-traffic

## Coturn (kubernetes)

The list of TLS ciphers for "TLS over TCP" TURN are defined in the [coturn helm chart](https://github.com/wireapp/wire-server/blob/master/charts/coturn/)
The list of TLS ciphers for "TLS over TCP" TURN are defined in the [coturn helm chart](https://github.com/wireapp/wire-server/blob/master/charts/coturn/values.yaml#L32)

```{grepinclude} ../charts/coturn/values.yaml ciphers:
---
Expand Down
10 changes: 7 additions & 3 deletions nix/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,13 @@ let
nativeBuildInputs = docsPkgs ++ [ pkgs.gnumake ];
}
''
cp -rH ${pkgs.nix-gitignore.gitignoreSource [] ../docs}/* .
chmod -R +w ./src
cp ${../CHANGELOG.md} ./src/changelog/changelog.md
mkdir docs charts services
cp -rH ${pkgs.nix-gitignore.gitignoreSource [] ../docs}/* docs/
cp -rH ${pkgs.nix-gitignore.gitignoreSource [] ../charts}/* charts/
Comment thread
jschumacher-wire marked this conversation as resolved.
cp -rH ${../services}/* services/
chmod -R +w ./docs/src
cp ${../CHANGELOG.md} ./docs/src/changelog/changelog.md
cd docs
make docs-all
mkdir $out
cp -r build/* $out/
Expand Down
1 change: 0 additions & 1 deletion services/run-services

This file was deleted.