Terraform Enterprise TLS 1.3 Cipher Suites

Avatar
Patrick Munne
  • Updated

Introduction

Problem

Configuring Terraform Enterprise to only service specific TLS 1.3 Cipher Suites results in an unavailable environment.

The configuration for Terraform Enterprise is done using these 2 additional parameters:

Terraform Enterprise FDO

TFE_TLS_CIPHERS: "TLS_AES_256_GCM_SHA384"
TFE_TLS_VERSION: "tls_1_3"

Terraform Enterprise replicated

replicatedctl app-config set tls_ciphers --value "ECDHE-RSA-AES256-GCM-SHA384"
replicatedctl app-config set tls_vers --value "tls_1_3"

You see the following errors in the logs of the Terraform Enterprise container

docker logs terraform-enterprise-tfe-1
2024-06-12 12:39:51,302 INFO spawned: 'nginx' with pid 1090
2024-06-12 12:39:51,619 INFO exited: nginx (exit status 1; not expected)
{"log":"2024-06-12 12:39:51,302 INFO spawned: 'nginx' with pid 1090","component":"supervisord"}
{"log":"2024-06-12 12:39:51,619 INFO exited: nginx (exit status 1; not expected)","component":"supervisord"}
2024-06-12 12:39:52,120 INFO gave up: nginx entered FATAL state, too many start retries too quickly
{"log":"2024-06-12 12:39:52,120 INFO gave up: nginx entered FATAL state, too many start retries too quickly","component":"supervisord"}

Nginx is failing to start properly

 

Prerequisites

  • You are using Terraform Enterprise version 202405-1 or earlier

Cause

The issue is that the parameter TFE_TLS_CIPHERS doesn't alter the nginx configuration correctly. The configuration is designed for the TLS 1.2 Cipher Suite. 

The following works for example correctly specifying the TLS 1.2 Cipher Suite with specific Ciphers

Terraform Enterprise FDO

TFE_TLS_CIPHERS: "ECDHE-RSA-AES256-SHA"
TFE_TLS_VERSION: "tls_1_2"

Terraform Enterprise replicated

replicatedctl app-config set tls_ciphers --value "ECDHE-RSA-AES256-SHA"
replicatedctl app-config set tls_vers --value "tls_1_2"

Testing the connection to verify the TLS 1.2 cipher is used

echo -n | openssl s_client -connect tfe66.aws.munnep.com:443 -no_tls1_3

Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA

 

Solution

At the moment of writing this KB article specifying a specific TLS 1.3 Cipher is not supported. We only have the option to allow the complete TLS 1.3 Cipher Suite

Terraform Enterprise FDO:

TFE_TLS_CIPHERS: ""
TFE_TLS_VERSION: "tls_1_3"

Terraform Enterprise replicated

replicatedctl app-config set tls_ciphers --value ""
replicatedctl app-config set tls_vers --value "tls_1_3"

When verifying this you see the TLS 1.3 Cipher Suite being used

echo | openssl s_client -connect <your_fqdn>:443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384

Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Outcome

At the moment Terraform Enterprise supports only the complete TLS 1.3 Cipher Suite. 

HashiCorp is working on making specific Ciphers available for TLS 1.3. 

Additional Information

  • See our official documentation for more information on these parameter here

Articles in this section

See more

Related articles