Blacklist Ciphersuites?

vikas027 · January 5, 2022, 2:14am

I know we can specify cipher suites like this but is there a way to blacklist certain ciphers as well?

tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Yggdrasil · January 11, 2022, 8:12pm

I don't think that's possible, nor should it be necessary. A whitelist is the safer way. The list of safe ciphers is shorter than the blacklist would be anyway.

Instead enable the recommended setting [preferServerCipherSuites](https://doc.traefik.io/traefik/https/tls/#prefer-server-cipher-suites) and list the suites you want to allow. Due to preferServerCipherSuites the client won't be allowed to choose any other than you listed.

You can use Mozilla's config generator to create the list of recommended ciphers. See Mozilla SSL Configuration Generator

Topic		Replies	Views
Improving the SSL rating Traefik v2 (latest)	5	7760	December 11, 2019
No answer from traefik with specific cipher suite Traefik v2 (latest) tcp	2	261	June 9, 2023
TLS Ciphers Supported and Org Policies Traefik v2 (latest) docker	1	30	April 11, 2024
Traefik docker config for tls options Traefik v2 (latest) docker , file	17	7657	February 16, 2021
preferServerCipherSuites forced with minVersion Traefik v2 (latest) letsencrypt-acme	2	382	May 13, 2020

Blacklist Ciphersuites?

Related Topics