-
Notifications
You must be signed in to change notification settings - Fork 435
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add default cipher suites configuration for webhook server #1238
Comments
the ciphersuite from crypto/tls provide list of cipher suite which are safe to use |
Currently the #1244 only fix operator on port 9443, port 8443 need further investigation |
@pavolloffay as i understand port 8443 is kube-rbac-proxy, do u mind to point me where is the entrypoint for setting the server? |
what is using 8443? Is it for metrics Are you looking to configure rbac proxy https://github.com/brancz/kube-rbac-proxy? The requests from the proxy are proxied to 8080 on the operator. |
|
Currently the webhook server default cipher suite from crypto/tls package.
There are 2 cipher is vulnerable on SWEET32 attack
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA
Since webhook server is default to TLSv1.2, we can add configure to default disable cipher suite of the above, and allow the strong cipher suite.
The one in yellow is medium strength cipher suite
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
The text was updated successfully, but these errors were encountered: