Closed adibrastegarnia closed 2 days ago
Hi @adibrastegarnia
Skupper uses TLS in many places. In the control plane has several servers that will negotiate some subset of the ciphers available from go's net/tls package: https://github.com/search?q=repo%3Askupperproject%2Fskupper+tlscfg.&type=code. For the most part TLS clients in the control plane will use whatever defaults are provided by the go standard library it was built with. Note: this primarily applies to upstream skupper. Presently the downstream builds of skupper (RHSI) are built with the redhat go toolchain that links out to system OpenSSL libraries.
What is likely more relevant is what ciphers that are used by skupper router - the transport component of skupper. I know that it links OpenSSL, but cannot speak to any specific configuration it uses. IIRC I may have investigated this with @kgiusti a while back. (Ring a bell at all Ken? Or did I just dream that up.)
An old discussion where we dug into the presence of a specific cipher: https://github.com/skupperproject/skupper/discussions/1414
@c-kruse Thank you for your response. If I understand correctly, the code at this link (https://github.com/skupperproject/skupper/blob/0258f904174ed22bf07efc38eff201f06a76f4fa/pkg/utils/tlscfg/tls.go#L11) retrieves the CipherSuites from the Go tls package. It appears that the cipher suites are determined by what the Go library provides. We are trying to understand whether any of the cipher suites you use are configurable or if they depend on the system's OpenSSL libraries. Could you please clarify this?
skupper router: This does rely on the system OpenSSL - specifically that of the container image it is built in (UBI9 minimal.) I am not a reputable source of authority on the topic, but suspect that one could rebuild the router in a container with a restricted openssl configuration, or maybe even simply add a layer on top to configure openssl.
Skupper control plane components (All container images aside from "skupper-router"): We do not presently have any configuration options exposed to configure this. Go's TLS implementation is disjoint from openssl, so is not configurable at the system level either. We did somewhat recently choose slightly firmer defaults for servers if you view the history of that tlscfg package, and would consider exposing more configuration or tightening it for our next major revision. A longer but perhaps useful read on what type of configuration options we could have with the go's TLS library: https://go.dev/blog/tls-cipher-suites.
@c-kruse Since Skupper does not support cipher suite configuration by default, could you suggest the best approach to modify the Skupper code for both the router and control plane to enable TLS 1.2 or 1.3 with the following cipher suites?
TLS1.3: TLS_AES_256_GCM_SHA384
TLS1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
@haribabug afraid I do not have a suggestion to offer.
I can say that assuming your requirements are to use those specific ciphers exclusively, the standard go tls library does not support configuring the TLS 1.3 ciphers (please refer to the blog I linked above.) To me that would imply that your requirements exclude any application built with go unless rebuilt with a non-standard toolchain that links out to some alternative crypto libraries. Go has a branch it calls boringcrypto that may help, Red Hat and Microsoft also have forks of go that could potentially help.
Glad to carry this on in github discussions and/or in our mailing list if there's a proposal here. https://groups.google.com/forum/#!forum/skupper
Closing the issue.
For TLS, what cipher suites skupper is using?