search

vmware-tanzu / pinniped

Pinniped is the easy, secure way to log in to your Kubernetes clusters.
https://pinniped.dev
Apache License 2.0
541 stars 65 forks source link

Allow admin user to further limit TLS ciphers used for TLS1.2 client requests and server ports (not including CLI) #1952

Closed joshuatcasey closed 2 months ago

joshuatcasey commented 3 months ago

Limit TLS ciphers for tls1.2.

Fixes #1605.

Replaces #1927.

codecov[bot] commented 3 months ago

Codecov Report

Attention: Patch coverage is 88.82682% with 20 lines in your changes missing coverage. Please review.

Project coverage is 30.68%. Comparing base (5d6dbe1) to head (f7f32f2).

Files Patch % Lines
internal/crypto/ptls/common.go 94.61% 4 Missing and 3 partials :warning:
test/testlib/securetls.go 0.00% 7 Missing :warning:
internal/concierge/server/server.go 0.00% 3 Missing :warning:
internal/supervisor/server/server.go 0.00% 3 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1952 +/- ## ========================================== + Coverage 30.59% 30.68% +0.09% ========================================== Files 363 365 +2 Lines 60516 60617 +101 ========================================== + Hits 18513 18602 +89 - Misses 41469 41479 +10 - Partials 534 536 +2 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

cfryanr commented 3 months ago

Does this new configuration option allow the user to constrain the ciphers so much that everything stops working? For example, if they only allow one cipher, and that cipher is not an elliptic curve cipher, then will that break everything (because all of our auto-generated TLS certs use EC)?

joshuatcasey commented 3 months ago

Does this new configuration option allow the user to constrain the ciphers so much that everything stops working? For example, if they only allow one cipher, and that cipher is not an elliptic curve cipher, then will that break everything (because all of our auto-generated TLS certs use EC)?

This is a good point. Something outside of the Pinniped code ultimately decides which ciphers to use that even further constrain the user-allowed list. At the moment this would not impede application startup but the endpoints would never complete a TLS handshake. This needs more thought.

joshuatcasey commented 3 months ago

What if we reserved at least one elliptic cipher for Pinniped use? That way at least the healthcheck would work. If the user has provided incompatible certificates and cipher suites there's not much we can do about that.

Another option is we require at least one elliptic and one RSA cipher?

cfryanr commented 2 months ago

What if we reserved at least one elliptic cipher for Pinniped use? That way at least the healthcheck would work. If the user > has provided incompatible certificates and cipher suites there's not much we can do about that.

Another option is we require at least one elliptic and one RSA cipher?

We discussed on a call and I think we decided that the documentation for the new option is sufficient. We cannot know what combination of cipher will work because it is outside our control, for example we don't know how the Kubernetes API server's ciphers were configured.