-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ETCD TLS still supports weak 64-bit block ciphers #8320
Comments
If etcd is going to worry about weak ciphers, maybe there should be a FIPS-140 mode? It seems the suggested way is cgo out to a certified library. /cc @xiang90 |
Agreed. |
Weak cipher support in etcd was flagged up in a security test on our Kubernetes cluster too. We can reduce the risk via security group controls, but being able to whitelist ciphers would address the root cause. |
Further to the above, I feel that allowing users to choose ciphers themselves would offer greater flexibility and allow cipher configuration to be tailored for different regulatory environments. For example, PCI DSS refer to NIST SP 800-52 for TLS configuration. This is the approach Kubernetes have taken via kubernetes/kubernetes#48859 |
It seems k8s approach is simpler, but it requires users to understand exactly what they expect, and it is go specific. We probably should adopt the similar approach. Would you want to help on this? Or would @spzala ? |
@xiang90 Understood, but I think it's responsible to expect users working in regulated environments to understand such settings. This also means users can response more quickly to any future cipher compromises. We'll look to get a PR raised in the new year /cc @ThatsMrTalbot |
The Kubernetes solution looks reasonable to me. I feel we should pick some default set of ciphers too. What about this list? https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites Did Kubernetes select a default set? I couldn't tell from glancing at the PR. |
This might break existing users after a upgrade. Every time we tighten TLS/security or fix security related bugs, we break some users though... |
True. Is Kubernetes just rolling with all ciphers?
On Fri, Dec 22, 2017 at 1:38 PM Xiang Li ***@***.***> wrote:
@philips <https://github.com/philips>
I feel we should pick some default set of ciphers too. What about this
list?
This might break existing users after a upgrade. Every time we tighten
TLS/security or fix security related bugs, we break some users though...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#8320 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AACDCNWxY14csJ-MlwqCbQZ0FIbGa3x8ks5tDCFngaJpZM4OlxmM>
.
--
CTO, CoreOS, Inc
Tectonic is enterprise Kubernetes
https://coreos.com/tectonic
|
The default one is all available ones in Go TLS as far as I can tell. @swestcott probably have more details to fill in here. |
@xiang90 Yes, that's my understanding too. All ciphers by default, with an optional whitelist. |
Yes, in Kubernetes, if the ciphers are not specified, the Go default ones will be used. |
@swestcott kindly ping. any progress? |
Have the start of something over at https://github.com/ThatsMrTalbot/etcd - it only seems to work when the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite is provided. If it isnt in the list then I get an error in the etcd logs (see below) and Error from etcd logs when TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 is not provided:
|
can you send a WIP pr to the etcd upstream repo? then we can discuss there. |
@ThatsMrTalbot are you still working on this? I'm also looking for this feature, as right now I have some settings hacked into a fork. So I can work on this if needed. |
Hi everyone, Our Security team ran a scan on all our local systems and reported this:
Thanks a lot for your help :-) |
Hi @fmazoyer what version of etcd was this scan against? |
Hi @hexfusion thanks for the swift reply :-) It's docker's quay.io/coreos/etcd:v3.2.4 |
I checked all the TLS
All the TLS
|
@vhosakot Right, we default to whatever Go runtime provides (depending on the machine that you run etcd with). You can specify the cipher suites to exclude weaker ones. |
Thanks @gyuho. Are the ciphers in etcd/pkg/tlsutil/cipher_suites.go Lines 21 to 44 in dedae6e
|
@vhosakot I meant to say, default would be empty cipher suite, which then is populated by Go runtime :) Those are only used to check if specified cipher is valid, but we do not provider cipher suite ordering by default (let Go handle it). |
@gyuho I have etcd up with Now, how can I test with a client (like |
I've found https://testssl.sh/ ( https://github.com/drwetter/testssl.sh ) helpful for testing ciphers, it doesn't explicitly check that etcd is working behind the ciphers, but it does test the initial SSL/TLS handshakes. |
@gyuho I started etcd See
But, when I test these three ciphers using
But,
Let me know if I need to open an issue against etcd for this. I'm using openssl Full outputs below:
But,
|
@vhosakot I believe your openssl needs to support the cipher locally. |
@hexfusion Yes, the cipher
|
@vhosakot I guess the server key algorithm is probably My guess is your server cert will have similar output.
example using cfssl CA format for ecdsa algorithm
|
Thanks @hexfusion. So, should the following certs and keys I'm using for etcd server support
|
If you want to use ecdsa vs rsa ciphers that makes sense to me. ECDHE-ECDSA-AES128-GCM-SHA256 vs ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
Thanks @hexfusion! I'll test with |
@gyuho I see the following ciphers do not work and etcd fails to start with the following errors when I configure these ciphers for
|
Hi @vhosakot did the other ciphers work with ecdsa cert?
The support or non support of a cipher is most likely going to be openssl vs etcd issue. For example my openssl 1.1.1 does not support any of the ciphers that are failing can you verify both the client/server do in your case also that you are using rsa certs? |
@hexfusion I'm not using In the following cipher suites that fail, I see just
So, are cipher suites not supported by openssl not supported by etcd too? |
@vhosakot yeah sorry that not incorrect I took a deeper look. It seems that currently the only supported list of definable ciphers is listed in your previous comment. etcd/pkg/tlsutil/cipher_suites.go Lines 21 to 44 in dedae6e
Lines 529 to 535 in 829c9b2
|
Thanks @hexfusion for confirming that those keys aren't supported by etcd. I'll let you know once I test with |
Description:
ETCD TLS still supports weak 64-bit block ciphers
Nessus security scanner indicates ETCD TLS port can still communicate using weak 64-bit block ciphers which is a security vaulnerabilty (SWEET32).
Steps to Reproduce:
1.) Setup ETCD for TLS
2.) Initiate a query to the ETCD https port and specify a weak cipher (ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA)
curl -v https://lama1-1-1:4001/v2/members --cert /etc/ssl/local_certs/etcd2/etcd2.crt --key /etc/ssl/local_certs/etcd2/etcd2.key --ciphers ECDHE-RSA-DES-CBC3-SHA
Actual Results:
ETCD responded from the query using the weak cipher
cs1-1-1 ~ # curl -v https://lama1-1-1:4001/v2/members --cert /etc/ssl/local_certs/etcd2/etcd2.crt --key /etc/ssl/local_certs/etcd2/etcd2.key --ciphers ECDHE-RSA-DES-CBC3-SHA
CApath: /etc/ssl/certs
< HTTP/1.1 200 OK
< Content-Length: 183
< Content-Type: application/json
< Date: Thu, 27 Jul 2017 18:56:52 GMT
< X-Etcd-Cluster-Id: 7417be5c0ca6813f
<
{"members":[{"id":"b8c5b89e3b6c0487","name":"f0bc2c5cee094fb7997f02f07cd80a55","peerURLs":["https://cs1-1-1:2380"],"clientURLs":["http://10.10.48.223:2379","https://cs1-1-1:4001"]}]}
cs1-1-1 ~ # echo $?
0
Expected Results:
Expecting ETCD to fail query.
Occurs On:
CoreOS 1409.5.0 (Ladybug)
ETCD v3.1.6
openssl 1.0.2k
Additional Information:
/usr/lib/systemd/system/etcd-member.service
[Unit]
Description=etcd (System Application Container)
Documentation=https://github.com/coreos/etcd
Wants=network.target
Conflicts=etcd.service
Conflicts=etcd2.service
[Service]
Type=notify
Restart=on-failure
RestartSec=10s
TimeoutStartSec=0
LimitNOFILE=40000
Environment="ETCD_IMAGE_TAG=v3.1.6"
Environment="ETCD_NAME=%m"
Environment="ETCD_USER=etcd"
Environment="ETCD_DATA_DIR=/var/lib/etcd"
Environment="RKT_RUN_ARGS=--uuid-file-save=/var/lib/coreos/etcd-member-wrapper.uuid"
ExecStartPre=/usr/bin/mkdir --parents /var/lib/coreos
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/lib/coreos/etcd-member-wrapper.uuid
ExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/lib/coreos/etcd-member-wrapper.uuid
[Install]
WantedBy=multi-user.target
/etc/systemd/system/etcd-member.service.d/10-require-certs.conf
[Unit]
Requires=link_etcd2_cert.service
After=link_etcd2_cert.service
/etc/systemd/system/etcd-member.service.d/50-options.conf
[Service]
Environment="ETCD_DISCOVERY=https://discovery.etcd.io/5fe45a47005f6cd5853d4639236b74b9"
Environment="ETCD_ADVERTISE_CLIENT_URLS=http://10.10.48.223:2379,https://cs1-1-1:4001"
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,https://0.0.0.0:4001"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://cs1-1-1:2380"
Environment="ETCD_LISTEN_PEER_URLS=https://cs1-1-1:2380"
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd2/etcd2.crt"
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd2/etcd2.key"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd2/etcd2-chain.pem"
lines 1-43
cs1-1-1 ~ # cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1409.5.0
VERSION_ID=1409.5.0
BUILD_ID=2017-06-22-2222
PRETTY_NAME="Container Linux by CoreOS 1409.5.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"
cs1-1-1 ~ # openssl version
OpenSSL 1.0.2k 26 Jan 2017
The text was updated successfully, but these errors were encountered: