From 19c34bd12d597fbcfb7f5784337c97fd72829956 Mon Sep 17 00:00:00 2001 From: Chuck Schweizer Date: Wed, 13 May 2020 08:34:45 -0500 Subject: [PATCH] Update to set default CipherSuites The default CipherSuites need to be set to disable the insecure TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Cipher --- pkg/cli/server/server.go | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go index 4a63de94f3..534f8ea639 100644 --- a/pkg/cli/server/server.go +++ b/pkg/cli/server/server.go @@ -190,13 +190,24 @@ func run(app *cli.Context, cfg *cmds.Server) error { return errors.Wrapf(err, "Invalid TLS Version %s: %v", TLSMinVersion, err) } + // TLS config based on mozilla ssl-config generator + // https://ssl-config.mozilla.org/#server=golang&version=1.13.6&config=intermediate&guideline=5.4 + // Need to disable the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Cipher for TLS1.2 TLSCipherSuites := []string{getArgValueFromList("tls-cipher-suites", cfg.ExtraAPIArgs)} - if len(TLSCipherSuites) != 0 && TLSCipherSuites[0] != "" { - serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(TLSCipherSuites) - if err != nil { - return errors.Wrapf(err, "Invalid TLS Cipher Suites %s: %v", TLSCipherSuites, err) + if len(TLSCipherSuites) == 0 || TLSCipherSuites[0] == "" { + TLSCipherSuites = []string{ + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", } } + serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(TLSCipherSuites) + if err != nil { + return errors.Wrapf(err, "Invalid TLS Cipher Suites %s: %v", TLSCipherSuites, err) + } logrus.Info("Starting k3s ", app.App.Version) notifySocket := os.Getenv("NOTIFY_SOCKET")