search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
5.7k stars 1.27k forks source link

Weak cipher suites supported on calico-typha #7881

Open huornlmj opened 11 months ago

huornlmj commented 11 months ago

When the TLS endpoint that calico-typha exposes, the following ciphers are advertised as supported which are considered weak as they do not offer PFS (Perfect Forward Secrecy).

Expected Behavior

Only Ephemeral suites should be used

Current Behavior

These suites are supported by the server:

Possible Solution

PR to remove the 2x weak ciphers.

Steps to Reproduce (for bugs)

  1. Deploy the calico-typha
  2. Test the TCP TLS endpoint with a utility such as drwetter's testssl.sh
  3. Observe that the two weak ciphers are advertised along with the two recommended / strong ECDHE ciphers.
huornlmj commented 1 month ago

Adding a new weak ciphers to the list that Calico typha supports in its default configuration: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384