You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When specifying the below cipher suites, not all of them are detected on a scan of the tcp port.
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
Scan output after restarting vault service:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Forward Secrecy not supported by any cipher
|_ least strength: A
To Reproduce
Steps to reproduce the behavior:
Create cluster
Specify cipher suites listed above in tls config
Restart service
Scan port
Expected behavior
All of the ciphers specified in the config should be offered as below
TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Environment:
Vault Server Version (retrieve with vault status): Vault 1.3.1+prem
Vault CLI Version (retrieve with vault version): NA
Server Operating System/Architecture: RHEL
Vault server configuration file(s):
listener"tcp" {
tls_cert_file="/etc/vault.d/tls.crt"tls_key_file="/etc/vault.d/tls.key"address="0.0.0.0:8200"tls_disable="false"tls_min_version="tls12"tls_disable_client_certs="true"tls_cipher_suites="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"tls_prefer_server_cipher_suites="true"
}
storage"consul" {
address="127.0.0.1:7501"token="censored"path="vault/"scheme="https"tls_ca_file="/etc/vault.d/ca_cert.pem"tls_cert_file="/etc/vault.d/server_cert.pem"tls_key_file="/etc/vault.d/server_key.pem"tls_skip_verify="true"
}
seal"azurekeyvault" {
#valid config in here removed
}
ui=true
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
The reason the ciphersuites specified in the configuration are not showing on the list is that they are blacklisted per the HTTP/2 rfc7540 specification: https://tools.ietf.org/html/rfc7540#appendix-A
An HTTP/2 implementation MAY treat the negotiation of any of the following cipher suites with TLS 1.2 as a connection error (Section 5.4.1) of type INADEQUATE_SECURITY:
Are all in that blacklist. The reasoning is given:
Note: This list was assembled from the set of registered TLS
cipher suites at the time of writing. This list includes those
cipher suites that do not offer an ephemeral key exchange and
those that are based on the TLS null, stream, or block cipher type
(as defined in Section 6.2.3 of [TLS12]). Additional cipher
suites with these properties could be defined; these would not be
explicitly prohibited.
Describe the bug
When specifying the below cipher suites, not all of them are detected on a scan of the tcp port.
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
Scan output after restarting vault service:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
All of the ciphers specified in the config should be offered as below
Environment:
vault status
): Vault 1.3.1+premvault version
): NAVault server configuration file(s):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: