HTTPS Protocols

Enclave offer a few ways to configure the protocols used by your HTTP(S) Endpoints for HTTPS termination through a set of Configuration variables:

SSL_PROTOCOLS_OVERRIDE: Control SSL / TLS Protocols

The SSL_PROTOCOLS_OVERRIDE variable lets you customize the SSL Protocols allowed on your Endpoint.

Available protocols depend on your Endpoint platform:

  • For ALB Endpoints: you can choose from these 3 combinations:

    • TLSv1 TLSv1.1 TLSv1.2 (default)
    • TLSv1.1 TLSv1.2
    • TLSv1.2
  • For Legacy ELB endpoints: the format is that of Nginx’s ssl_protocols directive. Pay very close attention to the format as a bad variable will prevent the proxies from starting.

Tip

The format for ALBs and ELBs is effectively identical: the only difference is the supported protocols.

This means that if you have both ELB Endpoints and ALB Endpoints on a given app, or if you’re upgrading from ELB to ALB, things will work as expected as long as you use protocols supported by ALBs, which are stricter.

SSL_CIPHERS_OVERRIDE: Control ciphers

Note

This variable is only available on Legacy ELB endpoints.

On ALB Endpoints, you normally don’t need to customize the ciphers available.

This variable lets you customize the SSL Ciphers used by your Endpoint.

The format is a string accepted by Nginx for its ssl_ciphers directive.

Pay very close attention to the required format, as here again a bad variable will prevent the proxies from starting.

DISABLE_WEAK_CIPHER_SUITES: an opinionated policy for ELBs

Note

This variable is only available on Legacy ELB endpoints.

On ALB Endpoints, weak ciphers are disabled by default, so that setting has no effect.

Setting this variable to true (it has to be the exact string true) causes your Endpoint to stop accepting traffic over the SSLv3 protocol or using the RC4 cipher.

We strongly recommend setting this variable to true on all ELB Endpoints nowadays. Or, better, yet, upgrade to ALB Endpoints, where that’s the default.

Examples

Note

If your app is deployed on Legacy “v1” Infrastructure, you will need to restart your app after running aptible config:set for the setting changes to take effect, using aptible restart.

To set those variables, you’ll need to use aptible config:set.

Set SSL_PROTOCOLS_OVERRIDE

aptible config:set --app "$APP_HANDLE" \
        "SSL_PROTOCOLS_OVERRIDE=TLSv1.1 TLSv1.2"

Set DISABLE_WEAK_CIPHER_SUITES

# Note: the value to enable DISABLE_WEAK_CIPHER_SUITES is the string "true"
# Setting it to e.g. "1" won't work.
aptible config:set --app "$APP_HANDLE" \
        DISABLE_WEAK_CIPHER_SUITES=true