The MedStack Control load balancer service allows users to specify the cipher suite used for TLS encryption. Instances of the load balancer service created before the option to select the cipher suite contained a collection of ciphers non-specific to any OWASP category, marked as Legacy.
On the load balancer's service details page, you can see the cipher suite provisioned in the load balancer.
Available cipher suites
There are currently two (2) cipher suites available to pick from. You can learn more about the load balancer's cipher suites here.
Legacy cipher suite
The legacy cipher suite contains the following ciphers:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
Upgrading from Legacy to an available cipher suite
To upgrade from the Legacy cipher suite to an available cipher suite, you'll need to perform the following steps:
- Go to the service details page for the load balancer service
- Delete the load balancer service*
- Create the load balancer service, selecting one of the available cipher suites.
* When deleting the load balancer service, requests to services running inside Docker will not be accessible to the open internet. Once the load balancer has been created again, services with domains mapped will be accessible to the internet.