skupperproject / skupper

Skupper is an implementation of a Virtual Application Network, enabling rich hybrid cloud communication.
http://skupper.io
Apache License 2.0
595 stars 74 forks source link

what cipher suites is used in Skupper #1770

Closed adibrastegarnia closed 2 days ago

adibrastegarnia commented 2 weeks ago

For TLS, what cipher suites skupper is using?

c-kruse commented 2 weeks ago

Hi @adibrastegarnia

Skupper uses TLS in many places. In the control plane has several servers that will negotiate some subset of the ciphers available from go's net/tls package: https://github.com/search?q=repo%3Askupperproject%2Fskupper+tlscfg.&type=code. For the most part TLS clients in the control plane will use whatever defaults are provided by the go standard library it was built with. Note: this primarily applies to upstream skupper. Presently the downstream builds of skupper (RHSI) are built with the redhat go toolchain that links out to system OpenSSL libraries.

What is likely more relevant is what ciphers that are used by skupper router - the transport component of skupper. I know that it links OpenSSL, but cannot speak to any specific configuration it uses. IIRC I may have investigated this with @kgiusti a while back. (Ring a bell at all Ken? Or did I just dream that up.)

c-kruse commented 2 weeks ago

An old discussion where we dug into the presence of a specific cipher: https://github.com/skupperproject/skupper/discussions/1414

adibrastegarnia commented 2 weeks ago

@c-kruse Thank you for your response. If I understand correctly, the code at this link (https://github.com/skupperproject/skupper/blob/0258f904174ed22bf07efc38eff201f06a76f4fa/pkg/utils/tlscfg/tls.go#L11) retrieves the CipherSuites from the Go tls package. It appears that the cipher suites are determined by what the Go library provides. We are trying to understand whether any of the cipher suites you use are configurable or if they depend on the system's OpenSSL libraries. Could you please clarify this?

c-kruse commented 2 weeks ago

skupper router: This does rely on the system OpenSSL - specifically that of the container image it is built in (UBI9 minimal.) I am not a reputable source of authority on the topic, but suspect that one could rebuild the router in a container with a restricted openssl configuration, or maybe even simply add a layer on top to configure openssl.

Skupper control plane components (All container images aside from "skupper-router"): We do not presently have any configuration options exposed to configure this. Go's TLS implementation is disjoint from openssl, so is not configurable at the system level either. We did somewhat recently choose slightly firmer defaults for servers if you view the history of that tlscfg package, and would consider exposing more configuration or tightening it for our next major revision. A longer but perhaps useful read on what type of configuration options we could have with the go's TLS library: https://go.dev/blog/tls-cipher-suites.

haribabug commented 2 weeks ago

@c-kruse Since Skupper does not support cipher suite configuration by default, could you suggest the best approach to modify the Skupper code for both the router and control plane to enable TLS 1.2 or 1.3 with the following cipher suites?

TLS1.3: TLS_AES_256_GCM_SHA384

TLS1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

c-kruse commented 2 weeks ago

@haribabug afraid I do not have a suggestion to offer.

I can say that assuming your requirements are to use those specific ciphers exclusively, the standard go tls library does not support configuring the TLS 1.3 ciphers (please refer to the blog I linked above.) To me that would imply that your requirements exclude any application built with go unless rebuilt with a non-standard toolchain that links out to some alternative crypto libraries. Go has a branch it calls boringcrypto that may help, Red Hat and Microsoft also have forks of go that could potentially help.

c-kruse commented 2 days ago

Glad to carry this on in github discussions and/or in our mailing list if there's a proposal here. https://groups.google.com/forum/#!forum/skupper

Closing the issue.