Skip to content
This repository has been archived by the owner on Jan 20, 2022. It is now read-only.

Allowed cipher suite parameter #273

Open
igorGevaerd opened this issue Nov 28, 2019 · 2 comments
Open

Allowed cipher suite parameter #273

igorGevaerd opened this issue Nov 28, 2019 · 2 comments

Comments

@igorGevaerd
Copy link

1. Describe IN DETAIL the feature/behavior/change you would like to see.
A flag to set all the allowed cipher suite, similar to the parameter "--tls-cipher-suites" used on kubelet.

This necessity showed up after a vulnerability scan on a Kubernetes environment configured by Kops. The Nessus scan revealed that the etcd-manager doesn't restrict the use of non-secure ciphers suite (ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA).

@viveksyngh
Copy link

We are also in need of this feature. Is there any update ? Or any pointers on how can we get it started with this one. I can work on this and raise an PR.

@jgilbert58934
Copy link

jgilbert58934 commented May 21, 2021

We also ran into this problem and so far masking the problem with tighter security groups or firewall rules has not been accepted. This is specifically for the main and events ports 3996 and 3997 for the SWEET32 and BEAST vulnerability.

In order to fix this I added additional parameters to the tls.Config when creating the listeners:

In the GRPCServerConfig function in options.go (https://github.com/kopeio/etcd-manager/blob/master/pkg/tlsconfig/options.go)

c := &tls.Config{
		ClientAuth: tls.RequireAndVerifyClientCert,
		ClientCAs:  caPool,
		MinVersion: tls.VersionTLS12,
		PreferServerCipherSuites: true,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		},
		ServerName: "etcd-manager-server-" + myPeerID,
}

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants