Allowed cipher suite parameter

[igorGevaerd]

1. Describe IN DETAIL the feature/behavior/change you would like to see.
A flag to set all the allowed cipher suite, similar to the parameter "--tls-cipher-suites" used on kubelet.

This necessity showed up after a vulnerability scan on a Kubernetes environment configured by Kops. The Nessus scan revealed that the etcd-manager doesn't restrict the use of non-secure ciphers suite (ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA).

[viveksyngh]

We are also in need of this feature. Is there any update ? Or any pointers on how can we get it started with this one. I can work on this and raise an PR.

[jgilbert58934]

We also ran into this problem and so far masking the problem with tighter security groups or firewall rules has not been accepted. This is specifically for the main and events ports 3996 and 3997 for the SWEET32 and BEAST vulnerability.

In order to fix this I added additional parameters to the tls.Config when creating the listeners:

In the GRPCServerConfig function in options.go (https://github.com/kopeio/etcd-manager/blob/master/pkg/tlsconfig/options.go)

c := &tls.Config{
		ClientAuth: tls.RequireAndVerifyClientCert,
		ClientCAs:  caPool,
		MinVersion: tls.VersionTLS12,
		PreferServerCipherSuites: true,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		},
		ServerName: "etcd-manager-server-" + myPeerID,
}