lxd is too restrictive about ciphers when it comes to proxies

Bug #1797440 reported by James Troup on 2018-10-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxd (Ubuntu)

Bug Description

lxd uses a very restrictive set of ciphers¹ with a stated goal of enforcing PFS. While this is admirable when it comes to communication between the lxc client and lxd servers, it's unreasonable to enforce that same reduced cipher list when talking to proxies. Proxies are very often outside of the control of the lxd user and it's perfectly reasonable to not care about PFS between me and where I get my images from. Please be more pragmatic about this and allow the user to configure a broader range of accepted ciphers for the purpose of talking to proxies.

¹ https://github.com/lxc/lxd/blob/master/shared/network.go#L53

James Troup (elmo) on 2018-10-11
summary: - lxd is too restrict about ciphers when it comes to proxies
+ lxd is too restrictive about ciphers when it comes to proxies
Stéphane Graber (stgraber) wrote :

Well, so most proxies do not intercept TLS and instead let you send "CONNECT" through and connect to the target server, in which case there's no reason for us to compromise on ciphers and allow for a potential downgrade and breaking of PFS.

Since we can't really detect a company proxy which does terminate TLS, I think the best option will be an environment variable.


This restricts the scope of this as much as possible and uses an env variable so that the same can apply to client and server. All LXD internal communications (cluster and server to server) will not be respecting this environment variable and will keep enforcing the strict TLS config.

Changed in lxd (Ubuntu):
status: New → In Progress
Changed in lxd (Ubuntu):
status: In Progress → Fix Committed
Stéphane Graber (stgraber) wrote :

The stable snap now contains this code.

Changed in lxd (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers