-
Notifications
You must be signed in to change notification settings - Fork 135
Default gRPC TLS Config uses weak protocols and ciphers (SWEET32) #343
Comments
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi
We are using a kOps managed Kubernetes cluster that uses etcd-manager. We have found that etcd-manager allows weak 3DES ciphers (vulnerable to SWEET32) as well as TLSv1.0 and TLSv1.1. I've been digging through the code and found that the gRPC server configs in etcd-manager/pkg/tlsconfig/options.go don't allow customisation of
tls.Config
withMinVersion
andCipherSuites
. Would it be possible to add an application flag that allows you to specific a cipher list and minimum TLS version, please?Here is a snippet from an
nmap
scan of the etcd-manager ports we are using:The text was updated successfully, but these errors were encountered: