Configure TLS for your Vault TCP listener
You can configure your TCP listener to use specific versions of TLS and specific ciphersuites.
Assumptions
- Your Vault instance is not currently running. If your Vault cluster is running, you must restart the cluster gracefully to apply changes to your TCP listener. SIGHIP will not reload your TLS configuration.
- You have a valid TLS certificate file.
- You have a valid TLS key file.
- You have a valid CA file (if required).
Example TLS 1.3 configuration
If a reasonably modern set of clients are connecting to a Vault instance, you
can configure the tcp
listener stanza to only accept TLS 1.3 with the
tls_min_version
parameter:
Vault does not accept explicit ciphersuite configuration for TLS 1.3 because the Go team has already designated a select set of ciphers that align with the broadly-accepted Mozilla Security/Server Side TLS guidance for modern TLS configuration.
Example TLS 1.2 configuration
To use TLS 1.2 with a non-default set of ciphersuites, you can set 1.2 as the
minimum and maximum allowed TLS version and explicitly define your preferred
ciphersuites with tls_ciper_suites
and one or more of the ciphersuite
constants from the ciphersuite configuration parser. For example:
You must set the minimum and maximum TLS version to disable TLS 1.3, which does
not support explicit cipher selection. The priority order of the ciphersuites
in tls_cipher_suites
is determined by the tls
Go package.
Note
The TLS 1.2 configuration example excludes any 3DES ciphers to avoid potential exposure to the Sweet32 attack (CVE-2016-2183). You should customize the ciphersuite list as needed to meet your environment-specific security requirements.
Verify your TLS configuration
You can verify your TLS configuration using an SSL scanner such as
sslscan
.