Skip to content

Commit

Permalink
Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable
Browse files Browse the repository at this point in the history 
Adding comments to explain what is wrong with each version
  • Loading branch information
Victor Garcia committed May 25, 2016
1 parent 01e79b8 commit d3f3e6c
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 6 deletions.
6 changes: 4 additions & 2 deletions cmd/kubelet/app/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -413,8 +413,10 @@ func InitializeTLS(s *options.KubeletServer) (*server.TLSOptions, error) {
}
tlsOptions := &server.TLSOptions{
Config: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability).
MinVersion: tls.VersionTLS10,
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
// Populate PeerCertificates in requests, but don't yet reject connections without certificates.
ClientAuth: tls.RequestClientCert,
},
Expand Down
6 changes: 4 additions & 2 deletions pkg/client/transport/transport.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,10 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
}

tlsConfig := &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// Can't use SSLv4 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: c.TLS.Insecure,
}

Expand Down
6 changes: 4 additions & 2 deletions pkg/genericapiserver/genericapiserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -666,8 +666,10 @@ func (s *GenericAPIServer) Run(options *options.ServerRunOptions) {
Handler: apiserver.MaxInFlightLimit(sem, longRunningRequestCheck, apiserver.RecoverPanics(handler)),
MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
},
}

Expand Down

0 comments on commit d3f3e6c

Please sign in to comment.