Linkerd TLS Security


Is there a way to get Linkerd to:

  1. Only allow specific TLS version (like TLSv1.2)
  2. Disable weak and Ciphers
  3. Enable Secure Diffie-Hellman for TLS
  4. Disable/disallow unwanted HTTP methods (like TRACE or DELETE)
  5. Disallow information disclosure
  6. Source IP access lists

It would be very useful to be able to set these features in Linkerd.


@rambo45 those are useful features indeed. Since linkerd runs on the JVM uses some of its security libraries from java. Some of the features can be applied through the java command line when starting up Linkerd.

1 This can be disabled using the argument -Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1
2 and 3. I am not entirely sure of the Secure Diffie-Hellman for TLS and weak ciphers java uses but there may be documentation on how they are used and how to disable them in the JVM.
4 You could use Linkerd’s HTTP method and host identifier together with dtabs to control the HTTP methods that allowed in your architecture That is documented here
5 We may need more information as to what this point entails. What kind of information should be considered for non disclosure?.
6 Is this the similar to a list of whitelisted IPs?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.