lxd is too restrictive about ciphers when it comes to proxies
Bug #1797440 reported by
James Troup
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lxd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
lxd uses a very restrictive set of ciphers¹ with a stated goal of enforcing PFS. While this is admirable when it comes to communication between the lxc client and lxd servers, it's unreasonable to enforce that same reduced cipher list when talking to proxies. Proxies are very often outside of the control of the lxd user and it's perfectly reasonable to not care about PFS between me and where I get my images from. Please be more pragmatic about this and allow the user to configure a broader range of accepted ciphers for the purpose of talking to proxies.
--
¹ https:/
| summary: |
- lxd is too restrict about ciphers when it comes to proxies + lxd is too restrictive about ciphers when it comes to proxies |
Revision history for this message
| Stéphane Graber (stgraber) wrote | #1 |
| Changed in lxd (Ubuntu): | |
| status: | New → In Progress |
| Changed in lxd (Ubuntu): | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Stéphane Graber (stgraber) wrote | #2 |
| Changed in lxd (Ubuntu): | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Well, so most proxies do not intercept TLS and instead let you send "CONNECT" through and connect to the target server, in which case there's no reason for us to compromise on ciphers and allow for a potential downgrade and breaking of PFS.
Since we can't really detect a company proxy which does terminate TLS, I think the best option will be an environment variable.
https:/
This restricts the scope of this as much as possible and uses an env variable so that the same can apply to client and server. All LXD internal communications (cluster and server to server) will not be respecting this environment variable and will keep enforcing the strict TLS config.