Rapid7 scans of our clusters have highlighed that weaker cipher suites are made available by Typha (port 5473). In particular the 3DES (Triple DES) Cipher Suites. The associated security risk with this is relatively low, but the optics are poor from a compliance perspective.
Expected Behavior
Other core Kubernetes components provide a --tls-min-version option or similar which allows TLS1.3 to be enforced as a minimum.
Current Behavior
Externals scans detect support for 3DES cypher suites, and there does not appear to be a way to configure this.
Possible Solution
Add a TyphaMinTlsVersion option to the FelixConfiguration or another more suitable configuration point.
Steps to Reproduce (for bugs)
Scan the clusters external ports using Rapid7
OR
Use this command to confirm that a certificate chain is returned when using TLS1.2: openssl s_client -connect 172.23.1.48:5473 -tls1_2
Context
External port scan result:
TLS/SSL Server Supports 3DES Cipher Suite
Negotiated with the following insecure cipher suites:
* TLS 1.2 ciphers:
* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_3DES_EDE_CBC_SHA
Your Environment
Calico version v3.28.1
Orchestrator version (e.g. kubernetes, mesos, rkt): K8S v1.29.7
Rapid7 scans of our clusters have highlighed that weaker cipher suites are made available by Typha (port 5473). In particular the 3DES (Triple DES) Cipher Suites. The associated security risk with this is relatively low, but the optics are poor from a compliance perspective.
Expected Behavior
Other core Kubernetes components provide a
--tls-min-versionoption or similar which allows TLS1.3 to be enforced as a minimum.Current Behavior
Externals scans detect support for 3DES cypher suites, and there does not appear to be a way to configure this.
Possible Solution
Add a
TyphaMinTlsVersionoption to the FelixConfiguration or another more suitable configuration point.Steps to Reproduce (for bugs)
openssl s_client -connect 172.23.1.48:5473 -tls1_2Context
External port scan result:
Your Environment