openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/tls-profiles-understanding.adoc
Sebastian Kopacz 40f1dc767c OSDOCS-12900: Increasing rec visibility
2025-04-08 16:45:43 +00:00

65 lines
2.8 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * security/tls-security-profiles.adoc
:_mod-docs-content-type: CONCEPT
[id="tls-profiles-understanding_{context}"]
= Understanding TLS security profiles
You can use a TLS (Transport Layer Security) security profile to define which TLS ciphers are required by various {product-title} components. The {product-title} TLS security profiles are based on link:https://wiki.mozilla.org/Security/Server_Side_TLS[Mozilla recommended configurations].
You can specify one of the following TLS security profiles for each component:
.TLS security profiles
[cols="1,2a",options="header"]
|===
|Profile
|Description
|`Old`
|This profile is intended for use with legacy clients or libraries. The profile is based on the link:https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility[Old backward compatibility] recommended configuration.
The `Old` profile requires a minimum TLS version of 1.0.
[NOTE]
====
For the Ingress Controller, the minimum TLS version is converted from 1.0 to 1.1.
====
|`Intermediate`
|This profile is the default TLS security profile for the Ingress Controller, kubelet, and control plane. The profile is based on the link:https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29[Intermediate compatibility] recommended configuration.
The `Intermediate` profile requires a minimum TLS version of 1.2.
[NOTE]
====
This profile is the recommended configuration for the majority of clients.
====
|`Modern`
|This profile is intended for use with modern clients that have no need for backwards compatibility. This profile is based on the link:https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility[Modern compatibility] recommended configuration.
The `Modern` profile requires a minimum TLS version of 1.3.
|`Custom`
|This profile allows you to define the TLS version and ciphers to use.
[WARNING]
====
Use caution when using a `Custom` profile, because invalid configurations can cause problems.
====
|===
[NOTE]
====
When using one of the predefined profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 might cause a new profile configuration to be applied, resulting in a rollout.
====
// TODO: Make sure all this is captured somewhere as necessary
// [IMPORTANT]
// ====
// The HAProxy Ingress Controller image does not support TLS `1.3` and because the `Modern` profile requires TLS `1.3`, it is not supported. The Ingress Operator converts the `Modern` profile to `Intermediate`.
//
// The Ingress Operator also converts the TLS `1.0` of an `Old` or `Custom` profile to `1.1`, and TLS `1.3` of a `Custom` profile to `1.2`.
// ====
View Git Blame Copy Permalink