Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable #26169

Merged
merged 1 commit into from
May 29, 2016
Merged

Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable #26169

merged 1 commit into from
May 29, 2016

Conversation

victorgp
Copy link

TLS1.0 is known as vulnerable since it can be downgraded to SSL
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

TLS1.1 can be vulnerable if cipher RC4-SHA is used, and in Kubernetes it is, you can check it with
openssl s_client -cipher RC4-SHA -connect apiserver.k8s.example.com:443

https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/

Test suites like Qualys are reporting this Kubernetes issue as a level 3 vulnerability, they recommend to upgrade to TLS1.2 that is not affected, quoting Qualys:

RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, TLSv 1.2 or later address these issues.

@k8s-bot
Copy link

k8s-bot commented May 24, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

2 similar comments
@k8s-bot
Copy link

k8s-bot commented May 24, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@k8s-bot
Copy link

k8s-bot commented May 24, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-label-needed labels May 24, 2016
@vishh vishh assigned lavalamp and unassigned vishh May 24, 2016
lavalamp
lavalamp reviewed May 24, 2016
View reviewed changes
cmd/kubelet/app/server.go
@@ -413,8 +413,8 @@ func InitializeTLS(s *options.KubeletServer) (*server.TLSOptions, error) {
}
tlsOptions := &server.TLSOptions{
Config: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability).
MinVersion: tls.VersionTLS10,
// Change default from SSLv3 to TLSv1.2 (because of POODLE vulnerability).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please expand comment to list what is wrong with each version. i.e.

// Can't use SSLv3 because of POODLE
// Can't use TLSv1.0 because of xxxx
// Can't use TLSv1.1 because of xxxx

@lavalamp
Copy link
Member

ok to test

@lavalamp
Copy link
Member

@smarterclayton will this change break any openshift clients?

@smarterclayton
Copy link
Contributor

No, we've been running this way for a while. We left an env var escape
hatch if an older cipher / protocol was required, but so far no one has
needed it. @liggitt.

On May 24, 2016, at 6:46 PM, Daniel Smith notifications@github.com wrote:

@smarterclayton https://github.com/smarterclayton will this change break
any openshift clients?


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#26169 (comment)

@lavalamp
Copy link
Member

In that case, fix the comment and LGTM :)

On Tue, May 24, 2016 at 3:50 PM, Clayton Coleman notifications@github.com
wrote:

No, we've been running this way for a while. We left an env var escape
hatch if an older cipher / protocol was required, but so far no one has
needed it. @liggitt.

On May 24, 2016, at 6:46 PM, Daniel Smith notifications@github.com
wrote:

@smarterclayton https://github.com/smarterclayton will this change break
any openshift clients?


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
<
#26169 (comment)


You are receiving this because you were assigned.
Reply to this email directly or view it on GitHub
#26169 (comment)

@victorgp
Copy link
Author

@lavalamp done!

liggitt
liggitt reviewed May 25, 2016
View reviewed changes
cmd/kubelet/app/server.go
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, thanks

@MHBauer
Copy link
Contributor

MHBauer commented May 25, 2016

Good comment.

@smarterclayton
Copy link
Contributor

Looks good, can you squash?

@smarterclayton smarterclayton added this to the v1.3 milestone May 25, 2016
Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable
d3f3e6c 
Adding comments to explain what is wrong with each version
@victorgp
Copy link
Author

@smarterclayton sure! done!

@lavalamp
Copy link
Member

LGTM

@lavalamp lavalamp added lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels May 25, 2016
@lavalamp
Copy link
Member

I set the release note label-- we should announce this change.

@wojtek-t
Copy link
Member

@k8s-bot e2e test this please issue: #IGNORE (there were problems with Jenkins at that time)

@wojtek-t wojtek-t added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels May 29, 2016
@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-bot
Copy link

k8s-bot commented May 29, 2016

GCE e2e build/test passed for commit d3f3e6c.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 0fc5732 into kubernetes:master May 29, 2016
dims
dims reviewed May 31, 2016
View reviewed changes
pkg/client/transport/transport.go
@@ -63,8 +63,10 @@ func TLSConfigFor(c *Config) (*tls.Config, error) {
}

tlsConfig := &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// Can't use SSLv4 because of POODLE and BEAST
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SSLv3. right? (minor nit)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops good catch! I just created this PR to fix it #26562

@victorgp victorgp mentioned this pull request May 31, 2016
Merged
k8s-github-robot pushed a commit that referenced this pull request Jun 1, 2016
Merge pull request #26562 from victorgp/master
2976e89 
Automatic merge from submit-queue

Minor typo in comment, SSLv3 instead of SSLv4

Minor fix in a comment from this PR #26169
@dims dims mentioned this pull request Jul 13, 2016
Closed
dims added a commit to dims/kubernetes that referenced this pull request Aug 5, 2016
@dims
[WIP] Use TLS 1.2 to access healthz API
1eb2348 
In the following PR, TLS was set to 1.2 as the minimum
because TLS1.0 and TLS1.1 are vulnerable:
kubernetes#26169

However the scripts that used curl were not updated to match
the TLS version.

Since --tlsv1.2 was introduced in curl 7.34.0, we should check
the version before using the option.

Fixes kubernetes#28888
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smarterclayton smarterclayton

Labels
lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.3
Development

Successfully merging this pull request may close these issues.