Bug 1569169 - [RFE] Only weak ciphers are available in etcd
Summary: [RFE] Only weak ciphers are available in etcd
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.10.0
Assignee: Sebastien Pahl
QA Contact: ge liu
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-18 17:47 UTC by Chad Scribner
Modified: 2018-10-08 14:41 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Support TLS cipher suite whitelist Reason: Existing set of etcd ciphers are weak and raise alarms in common scanning tools (e.g. Nessus) Result: Improved security configure etcd to add --cipher-suites flag with the desired cipher suite restart etcd, apiserver, controllers, etc TLS handshake fails when client hello is requested with invalid cipher suites. If empty, Go auto-populates the list.
Clone Of:
Last Closed: 2018-10-08 14:41:09 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Chad Scribner 2018-04-18 17:47:39 UTC
Description of problem:
Only weak ciphers are available for etcd

Version-Release number of selected component (if applicable):
OpenShift 3.7

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 2 Chad Scribner 2018-04-24 16:38:34 UTC
The existing set of etcd ciphers are weak and pose a security vulnerability that raises alarms in common scanning tools (e.g. Nessus). OpenShift allows customers to disable weak ciphers using the following steps: https://access.redhat.com/solutions/3374601. However, strong ciphers are not available for etcd communication. Without the ability to use a set of strong ciphers that meet regulatory minimum requirements, and disable weak ciphers, deployment of OpenShift in regulatory-controlled environments will block on security violations.

Comment 9 Sebastien Pahl 2018-06-12 17:07:31 UTC
There is a new build available with the feature to select ciphers.

You can find it here:


Original PR: https://github.com/coreos/etcd/pull/9801

Comment 18 Chad Scribner 2018-07-12 18:29:49 UTC
Sebastien -- Are there any updates on this?

Note You need to log in before you can comment on or make changes to this bug.