Crossbar.io / TLS

#1

Hi,

since there have been some questions recently about TLS and what security level a properly configured Crossbar.io is able to do, here you go.

In fact, I just managed to get everything working for our live demos again, after I created a big mess by kicking the S3 bucket hosting AutobahnJS.

Anyway:

http://demo.crossbar.io

will force redirect to HTTPS, and resolve to one of 3 instances residing in EU, US and Asia.

Which one depends on where you reside. It'll choose the instance with the lowest latency from your network point.

The direct links to the instances are:

* https://cbdemo-eu-central-1.crossbar.io/
* https://cbdemo-us-west-1.crossbar.io/
* https://cbdemo-ap-southeast-1.crossbar.io/

and the TLS reports are here (all A+ grade 100/100/90/90):

https://www.ssllabs.com/ssltest/analyze.html?d=cbdemo-eu-central-1.crossbar.io

https://www.ssllabs.com/ssltest/analyze.html?d=cbdemo-us-west-1.crossbar.io

https://www.ssllabs.com/ssltest/analyze.html?d=cbdemo-ap-southeast-1.crossbar.io

As you can see further down in the reports, old broken shit like IE 8-10 / Win 7 or Java 7 or Android 4.3 is NOT supported.

This is _by purpose_.

Note: some of this you can support by changing the ciphers. However, the default ciphers used by Crossbar.io are handselected for maximum security, and don't support those old clients.

The Crossbar.io config used is exactly this:

https://github.com/crossbario/crossbar-examples/blob/master/demos/_demo_launcher/.crossbar/config.json#L178

As mentioned, it force redirect port 80 HTTP to HTTPS 443, and it also sets HSTS.

The overall result is quite state-of-the-art.

There are 2 more exotic features we don't have yet:

- HPKP
- OCSP stapling

Getting all of above set up is probably quite hard for non-security geeks.

We have some pages (these need partially an update), pls see the TLS and Certificates etc pages linked here

http://crossbar.io/docs/Going-to-Production/

ยทยทยท

--

The particular setup we use, with 3 instances behind a single DNS and certificates from Let's Encrypt is even more complex to setup.

The reason is that the only way you can validate certs in this setup is using so-called DNS challenges dynamically put into Route53. We use lego for that. https://github.com/xenolf/lego

You will also need deployment automation, otherwise you'll get insance quickly;)

Well, this is advanced stuff. No point denying ..

Hope this helps,
Cheers,
/Tobias

0 Likes