TLS Connections in PCF Deployments

Pivotal Cloud Foundry (PCF) uses Transport Layer Security (TLS) protocols to secure connections between internal components and customer hardware.

Within a PCF deployment, TLS secures connections between components like the Ops Manager Director and service tiles. PCF components also use TLS connections to secure communications with external hardware, such as customer load balancers.

By default, PCF uses a limited set of cipher suites and TLS versions to secure connections.

TLS Cipher Suites

By default, PCF uses a limited set of cipher suites to secure its internal communications. However, some components used in PCF, like Gorouter, may support additional TLS cipher suites to accommodate older clients outside of PCF.

For components that allow you to configure TLS cipher suites, only specify the TLS cipher suites that you need.

TLS Cipher Suite Recommendations

The only supported version of TLS in PCF v1.11 is TLS v1.2.

The TLS cipher suites used for internal PCF communications are the following:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Gorouter Configuration

The default TLS cipher suites for Gorouter are:

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384

You can specify other TLS v1.2 cipher suites if your deployment requires them. For a list of cipher suites that are optionally supported by Gorouter, see Securing Traffic into Cloud Foundry.

Only specify the cipher suites that you need.

For instructions on how to configure TLS cipher suites for Gorouter, see the Elastic Runtime installation documentation for the IaaS of your deployment. For example, if you are deploying Elastic Runtime on GCP, see Step 6: Configure Networking.

HAProxy Configuration

The default TLS cipher suites for HAProxy are:

  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384

You can specify other TLS v1.2 cipher suites if your deployment requires them. For a list of other TLS cipher suites that are optionally supported by HAProxy, see ciphers - Cipher Suite Names in the OpenSSL documentation.

Only specify the cipher suites that you need.

For instructions on how to configure TLS cipher suites for HAProxy, see the Elastic Runtime installation documentation for the IaaS of your deployment. For example, if you are deploying Elastic Runtime on GCP, see Step 6: Configure Networking.

Create a pull request or raise an issue on the source for this page in GitHub