Add default cipher suites configuration for webhook server #1238
Comments
kangsheng89
changed the title
|
the ciphersuite from crypto/tls provide list of cipher suite which are safe to use |
|
Currently the #1244 only fix operator on port 9443, port 8443 need further investigation |
|
@pavolloffay as i understand port 8443 is kube-rbac-proxy, do u mind to point me where is the entrypoint for setting the server? |
|
what is using 8443? Is it for metrics Are you looking to configure rbac proxy https://github.com/brancz/kube-rbac-proxy? The requests from the proxy are proxied to 8080 on the operator. |
|
Currently the webhook server default cipher suite from crypto/tls package.
There are 2 cipher is vulnerable on SWEET32 attack
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA
Since webhook server is default to TLSv1.2, we can add configure to default disable cipher suite of the above, and allow the strong cipher suite.
The one in yellow is medium strength cipher suite
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
The text was updated successfully, but these errors were encountered: