SSL/TLS advertises the discouraged cipher suites
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Karla Felix |
Bug Description
Description of failure
there is an application on listening on 5443
root@controller
tcp6 0 0 :::5443 :::* LISTEN 87951/nginx-ingress
on port 5443, we are seeing the vulnerability as follows
The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:
ECDHE-ECDSA-
SHA1
ECDHE-ECDSA-
SHA1
Port : 5443
so to check this, I simply ran curl command from a different client to port 5443 which initiates a https connection with above vulnerable algos. (ex: ECDHE-ECDSA-
curl -I https:/
HTTP/1.1 400 Bad Request
Date: Tue, 28 Nov 2023 11:42:32 GMT
If the above vulnerable algo is not supported by application running on 5443, TLS handshake should have failed.
But I see TLS connection goes through.
Changed in starlingx: | |
assignee: | nobody → Karla Felix (kkarolin) |
Changed in starlingx: | |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → Medium |
tags: | added: stx.9.0 stx.security |
tags: | added: stx.10.0 |
Reviewed: https:/ /review. opendev. org/c/starlingx /ansible- playbooks/ +/907615 /opendev. org/starlingx/ ansible- playbooks/ commit/ 72dd981826862e4 142441bc7b67fc0 3f23d011d3
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 72dd981826862e4 142441bc7b67fc0 3f23d011d3
Author: Karla Felix <email address hidden>
Date: Fri Feb 2 12:54:08 2024 -0300
Removing weak ciphers from kube-apiserver
This commit will remove the support for ciphers considered
weak based on the NIST list.
Test Plan:
PASS: Run build-pkgs -c -p playbookconfig yaml.
PASS: Run build-image
PASS: Run a fresh install and verify if the cipher-suites are
present in kube-apiserver.
PASS: Run nmap and verify if only listed ciphers are returned.
Closes-Bug: 2054813
Change-Id: I0a416ee3975b56 59dae050a5e9ed6 6bdd9b4e6f2
Signed-off-by: Karla Felix <email address hidden>