Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add secure ciphersuites for TLS config #1244

Merged
merged 9 commits into from
Nov 26, 2022

Conversation

kangsheng89
Copy link
Contributor

to fix #1238

@kangsheng89 kangsheng89 requested a review from a team November 11, 2022 08:30
@kangsheng89
Copy link
Contributor Author

image
Before fix, the cipher suites of TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA is acceptable by webhook server on port 9443, which is vulnerable to SWEET32 attack

@kangsheng89
Copy link
Contributor Author

image
After fix, both DES and 3DES cipher no longer acceptable

main.go Outdated
@@ -292,3 +293,12 @@ func addDependencies(_ context.Context, mgr ctrl.Manager, cfg config.Config, v v
func minTlsDefault(cfg *tls.Config) {
cfg.MinVersion = defaultMinTLSVersion
}

func secureCipherSuite(cfg *tls.Config) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add a comment on this function and describe what it does?

I personally don't know why all ciphers have to be specified.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By description from the comments, it should be taken in safe cipher. But after i run the test, seems like manager just directly using the cipher configuration by tls version only. Instead of using the ciphers from tls.CipherSuites() which is safe from vulnerability.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pavolloffay do u have any more concerned, or may b do u have any more ideas to improve on this?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

// This function return list of CipherSuite's ID without security issues.

I was more interested in the comment why this is needed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok let me update the comments on the code and it will be more clear for reader/maintainer

@kangsheng89
Copy link
Contributor Author

@pavolloffay can u help to check why docker buildx fail?

@frzifus
Copy link
Member

frzifus commented Nov 17, 2022

@kangsheng89 Should we consider the same here? jaegertracing/jaeger-operator#2119 (comment)

@kangsheng89
Copy link
Contributor Author

kangsheng89 commented Nov 17, 2022

@pavolloffay After some consideration, i make changes so that TLS setting for version and ciphersuite is configurable from cmd argument. I am using https://github.com/kubernetes/component-base/blob/master/cli/flag/ciphersuites_flag.go help to validate the TLS settings from cmd argument

main.go Show resolved Hide resolved
main.go Show resolved Hide resolved
@kangsheng89
Copy link
Contributor Author

@pavolloffay any concerns or feedbacks to improve this?

@pavolloffay pavolloffay merged commit c7c8b05 into open-telemetry:main Nov 26, 2022
@kangsheng89 kangsheng89 deleted the safeciphersuites branch November 26, 2022 15:38
ItielOlenick pushed a commit to ItielOlenick/opentelemetry-operator that referenced this pull request May 1, 2024
* add secure ciphersuites for TLS config

* add comment for the secureCipherSuite function

* provide more descriptive comments on secureCipherSuite function

* ciphersuites and tls version setting can be configurable

* add description for the function tlsConfigSetting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add default cipher suites configuration for webhook server
3 participants