mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
security: update tls cipher suites (#23551)
This commit is contained in:
Deniz Onur Duzgun
committed by
GitHub
GitHub
parent
6589d7130b
commit
c82dd76a1b
3
.changelog/23551.txt
Normal file
3
.changelog/23551.txt
Normal file
@@ -0,0 +1,3 @@
|
||||
```release-note:security
|
||||
security: Removed insecure TLS cipher suites: `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25` and `TLS_RSA_WITH_AES_128_CBC_SHA256`.
|
||||
```
|
||||
@@ -65,9 +65,6 @@ $cipherOrder = @(
|
||||
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
|
||||
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
|
||||
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
|
||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
|
||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
|
||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
|
||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
|
||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
|
||||
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
|
||||
@@ -75,7 +72,6 @@ $cipherOrder = @(
|
||||
'TLS_RSA_WITH_AES_128_GCM_SHA256',
|
||||
'TLS_RSA_WITH_AES_256_CBC_SHA256',
|
||||
'TLS_RSA_WITH_AES_256_CBC_SHA',
|
||||
'TLS_RSA_WITH_AES_128_CBC_SHA256',
|
||||
'TLS_RSA_WITH_AES_128_CBC_SHA',
|
||||
'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
|
||||
)
|
||||
|
||||
@@ -32,15 +32,12 @@ var supportedTLSCiphers = map[string]uint16{
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
}
|
||||
@@ -62,15 +59,12 @@ var supportedCipherSignatures = map[string]signatureAlgorithm{
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": ecdsaStringRepr,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": rsaStringRepr,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": ecdsaStringRepr,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": rsaStringRepr,
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": rsaStringRepr,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": ecdsaStringRepr,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": ecdsaStringRepr,
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": rsaStringRepr,
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": ecdsaStringRepr,
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256": rsaStringRepr,
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384": rsaStringRepr,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256": rsaStringRepr,
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA": rsaStringRepr,
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA": rsaStringRepr,
|
||||
}
|
||||
|
||||
@@ -798,15 +798,12 @@ func TestConfig_ParseCiphers_Valid(t *testing.T) {
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
}, ","),
|
||||
@@ -819,15 +816,12 @@ func TestConfig_ParseCiphers_Valid(t *testing.T) {
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||
}
|
||||
|
||||
@@ -59,7 +59,7 @@ the [Enable TLS Encryption for Nomad Tutorial](/nomad/tutorials/transport-securi
|
||||
cluster is being upgraded to TLS, and removed after the migration is
|
||||
complete. This allows the agent to accept both TLS and plaintext traffic.
|
||||
|
||||
- `tls_cipher_suites` `string: "")` - Specifies the TLS cipher suites that will
|
||||
- `tls_cipher_suites` `(string: "")` - Specifies the TLS cipher suites that will
|
||||
be used by the agent as a comma-separated string. Known insecure ciphers are
|
||||
disabled (3DES and RC4). By default, an agent is configured to use
|
||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
@@ -73,6 +73,8 @@ the [Enable TLS Encryption for Nomad Tutorial](/nomad/tutorials/transport-securi
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
|
||||
|
||||
~> **Warning:** the use of insecure cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, and TLS_RSA_WITH_AES_128_CBC_SHA256 is now unsupported.
|
||||
|
||||
- `tls_min_version` `(string: "tls12")`- Specifies the minimum supported version
|
||||
of TLS. Accepted values are "tls10", "tls11", "tls12".
|
||||
|
||||
|
||||
Reference in New Issue
Block a user