Skip to content

Commit

Permalink
Merge pull request #26169 from victorgp/master
Browse files Browse the repository at this point in the history 
Automatic merge from submit-queue

Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable

TLS1.0 is known as vulnerable since it can be downgraded to SSL
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

TLS1.1 can be vulnerable if cipher RC4-SHA is used, and in Kubernetes it is, you can check it with
`
openssl s_client -cipher RC4-SHA -connect apiserver.k8s.example.com:443
`

https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/

Test suites like Qualys are reporting this Kubernetes issue as a level 3 vulnerability, they recommend to upgrade to TLS1.2 that is not affected, quoting Qualys:

`
RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in
SSL and
TLS. However, TLSv 1.2 or later address these issues.
`
  • Loading branch information
k8s-merge-robot committed May 29, 2016
2 parents 2253f3d + d3f3e6c commit 0fc5732
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 6 deletions.
6 changes: 4 additions & 2 deletions cmd/kubelet/app/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -416,8 +416,10 @@ func InitializeTLS(s *options.KubeletServer) (*server.TLSOptions, error) {
}
tlsOptions := &server.TLSOptions{
Config: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability).
MinVersion: tls.VersionTLS10,
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
// Populate PeerCertificates in requests, but don't yet reject connections without certificates.
ClientAuth: tls.RequestClientCert,
},
Expand Down
6 changes: 4 additions & 2 deletions pkg/client/transport/transport.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,10 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
}

tlsConfig := &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// Can't use SSLv4 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: c.TLS.Insecure,
}

Expand Down
6 changes: 4 additions & 2 deletions pkg/genericapiserver/genericapiserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -668,8 +668,10 @@ func (s *GenericAPIServer) Run(options *options.ServerRunOptions) {
Handler: apiserver.MaxInFlightLimit(sem, longRunningRequestCheck, apiserver.RecoverPanics(handler)),
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
},
}

Expand Down

0 comments on commit 0fc5732

Please sign in to comment.