Support TLS Cipher Suites in run-vault

[dmattia]

Problem

The Vault server configuration supports a tls_cipher_suites arg in the TLS listener: https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cipher_suites. But run-vault does not support updating this arg.

How I'm using the modules

I am making use of the vault-elb and vault-cluster modules, running install-vault through my Packer image as recommended.

One of the changes I made to the default settings was using ECDSA P384 encryption for my TLS certificate.

What problems are caused

My vault server instances work just fine when I ssh onto them. I was able to init the Vault instances with a vault operator init, and vault status looks as I'd expect.

The issue is that I cannot communicate to DNS entry I set up in front of the load balancer, as the health checks are failing.

Running a journalctl -b --no-pager -u vault | tail -n 3 on the Vault server, I see that the error is: http: TLS handshake error from <lb_ip>:9098: tls: no cipher suite supported by both client a nd server

Proposed Solution

If possible, I'd like to request a new flag in the run-vault script that would add a flag argument that could optionally add a tls_cipher_suites param to the tcp listener.

After this, if needed, users of these modules could update those flags in their user data, which are much easier to change than the run-vault/install-vault scripts.

If desired, I could add support for these flags, so that a run-vault command could look something like:

/opt/vault/bin/run-vault \
  --tls-cert-file "$VAULT_TLS_CERT_FILE" \
  --tls-key-file "$VAULT_TLS_KEY_FILE" \
  --enable-auto-unseal \
  --auto-unseal-kms-key-id "${kms_key_id}" \
  --auto-unseal-kms-key-region "${aws_region}
  --custom-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Please let me know your thoughts!

[dmattia]

I was able to solve this by using a Network Load Balancer instead of the classic load balancer from this repo. I can close this issue.