Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for TLS configuration #2193

Closed
timhallinflux opened this issue Apr 15, 2019 · 0 comments · Fixed by #2198
Closed

Add support for TLS configuration #2193

timhallinflux opened this issue Apr 15, 2019 · 0 comments · Fixed by #2198
Assignees
@rbetts
Labels
enhancement pm/enterprise readiness

Comments

@timhallinflux
Copy link
Contributor

timhallinflux commented Apr 15, 2019
edited
Loading

Feature Request

Proposal: Support for exposing crypto/tls options in config. This request mirrors the request that was implemented for InfluxDB influxdata/influxdb#8637

Current behavior: When setting up https default values from crypto/tls are used which includes weaker encryption TLS versions 1.0, 1.1 & 3DES ciphers. See nmap ssl-enum-ciphers scan below:

PORT     STATE SERVICE
8086/tcp open  d-s-n
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C

Desired behavior: Expose additional values in the config to control the tls settings available on the server. Example crypto/tls settings to be exposed would be: MinVersion, CipherSuites, PreferServerCipherSuites, CurvePreferences.

Use case: More compliance audits are requiring TLS 1.2 only as recommended by NIST. Also the ability to avoid things like SWEET32 [1] by disabling 3DES ciphers is important. At the moment, we have to put Kapacitor behind a proxy to meet this requirement.

[1] https://sweet32.info/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rbetts rbetts

Labels
enhancement pm/enterprise readiness
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add TLS configuration options influxdata/kapacitor
2 participants
@rbetts @timhallinflux