mozilla / server-side-tls

Server side TLS Tools
https://ssl-config.mozilla.org
Mozilla Public License 2.0
1.12k stars 142 forks source link

GCP LB configs #277

Open g-k opened 4 years ago

g-k commented 4 years ago

This came up for https://bugzilla.mozilla.org/show_bug.cgi?id=1658150

TLS versions and cipher suites align with the Moz guidelines except for some confusing name differences (Moz Old ~= GCP Compatible; Moz Intermediate ~= GCP Modern; Moz Modern ~= GCP Restricted). So the config recommendations could be to use those renamed profiles.

COMPATIBLE. Allows the broadest set of clients, including clients that support only out-of-date SSL features, to negotiate SSL with the load balancer. MODERN. Supports a wide set of SSL features, allowing modern clients to negotiate SSL. RESTRICTED. Supports a reduced set of SSL features, intended to meet stricter compliance requirements.

https://cloud.google.com/load-balancing/docs/ssl-policies-concepts

janbrasna commented 3 weeks ago

Every company has their own naming rules for similar recommendations, often changing the defaults without notice (so it's not realistic to try to be kept in sync in any way…), and looking at the GCP LB policies (that are only one such instance, for that product specifically), it's already quite diverging from current Mozilla guidelines. And probably only will more and more over time…

So I'd say it's better to not resemble any of the naming, to avoid confusing people whenever possible.

(Actually the Google Cloud Load Balancing profiles resemble Amazon Elastic Load Balancer profiles in parts of the naming… and is pretty different to Mozilla defaults.)

  1. Their both "compatible" and "modern" mostly fall within our "old" (!!)
  2. Their "restricted" resembles parts of our "intermediate" (=our default)
  3. Our "modern" is what would match their "custom" settings for QUIC or TLS1.3+ only