1569169 – [RFE] Only weak ciphers are available in etcd

Bug 1569169 - [RFE] Only weak ciphers are available in etcd

Summary: [RFE] Only weak ciphers are available in etcd

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RFE
Sub Component:
Version:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.10.0
Assignee:	Sebastien Pahl
QA Contact:	ge liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-18 17:47 UTC by Chad Scribner
Modified:	2021-12-10 15:59 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Feature: Support TLS cipher suite whitelist Reason: Existing set of etcd ciphers are weak and raise alarms in common scanning tools (e.g. Nessus) Result: Improved security configure etcd to add --cipher-suites flag with the desired cipher suite restart etcd, apiserver, controllers, etc TLS handshake fails when client hello is requested with invalid cipher suites. If empty, Go auto-populates the list.
Clone Of:
Environment:
Last Closed:	2018-10-08 14:41:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Chad Scribner 2018-04-18 17:47:39 UTC

Description of problem:
Only weak ciphers are available for etcd


Version-Release number of selected component (if applicable):
OpenShift 3.7


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Chad Scribner 2018-04-24 16:38:34 UTC

The existing set of etcd ciphers are weak and pose a security vulnerability that raises alarms in common scanning tools (e.g. Nessus). OpenShift allows customers to disable weak ciphers using the following steps: https://access.redhat.com/solutions/3374601. However, strong ciphers are not available for etcd communication. Without the ability to use a set of strong ciphers that meet regulatory minimum requirements, and disable weak ciphers, deployment of OpenShift in regulatory-controlled environments will block on security violations.

Comment 9 Sebastien Pahl 2018-06-12 17:07:31 UTC

There is a new build available with the feature to select ciphers.

You can find it here:

https://github.com/coreos/etcd/releases/tag/v3.2.22

Original PR: https://github.com/coreos/etcd/pull/9801

Comment 18 Chad Scribner 2018-07-12 18:29:49 UTC

Sebastien -- Are there any updates on this?

Note You need to log in before you can comment on or make changes to this bug.