Be able to restrict ciphers used on Goldfish

Question

Be able to restrict ciphers used on Goldfish

dspit1664 opened this issue 7 years ago · 1 comments

Bug report:

Nessus Scan shows Medium Cipher vulnerability on port 8000
Being a Goldfish port and not Vault raising this issue here.

Need to be able to specify which tls1.2 ciphers should be used.
We had a similar issue with Vault but it allows you to specify ciphers. We did this and for Vault the issue has been remediated I'm not sure GoldFish can do the same.

For Vault I used:
See the options at https://www.vaultproject.io/docs/configuration/listener/tcp.html
Allows you to specify
tls_min_version = "tls12"
tls_cipher_suites = <ciphers as per https://golang.org/src/crypto/tls/cipher_suites.go>
Vault version:

vault --version
Vault v0.8.1 ('8d76a41854608c547a233f2e6292ae5355154695')

Goldfish version:
goldfish --version
2018/03/08 16:47:26 Goldfish version: v0.7.0

Operating system:
sb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
Steps to reproduce:
Install Vault and Goldfish configure it like a vanilla env
Our vault.cfg file looks like:

Here is my config

- vault.cfg
# backend "file" {
#  path = "/var/lib/vault"
# }

storage "s3" {
  access_key = "blahblah"
  secret_key = "Iamasecret"
  bucket     = "vault-storage-staging"
  endpoint = "<S3 Storage>"
}

##listener "tcp" {
# address = "127.0.0.1:8200"
# tls_disable = 1
#}

disable_mlock=true

# BEGIN ANSIBLE MANAGED BLOCK
listener "tcp" {
# address = "0.0.0.0:8201"
 tls_disable = false
 address = "127.0.0.1:8200"
 tls_cert_file = "/var/lib/vault/pki/root_cert.pem"
 tls_key_file = "/var/lib/vault/pki/root_key.pem"
 tls_min_version = "tls12"
 tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
}
# END ANSIBLE MANAGED BLOCK
Expected behaviour: and Actual behaviour:
Normal behaviour i.e. we can use Vault and Goldfish fine
However a Nessus scan shows :
SSL Medium Strength Cipher Suites Supported (42873) on port 8000






### Feature request:

<!-- Prefix issue title with "Feature request: <very short summary>" -->

Is this a front-end feature or backend? (or both?)

Description of feature:

Are you able to submit a pull request for this feature?

Answer 1 · 2018-03-08T18:53:53.000Z

I see that you are using goldfish v0.7.0. I would recommend upgrading to v0.9.0.

v0.8.0 brought several TLS standards. The current list of ciphersuites seem close if not identical to your list. You can see them here. https://github.com/Caiyeon/goldfish/blob/master/server/server.go#L163

As for configurable cipher suites, there are no current plans to support this.