Add TLS Configuration Options

Question

Add TLS Configuration Options

Closed this issue 4 years ago · 4 comments

We recently discovered that our XCat 2.15 deployment using goconserver was susceptible to the SWEET32 attack due to hard coded TLS Cipher suites. While it doesn't look like confluent allows DES based ciphers, it made sense to me to request that confluent support configurable TLS options in order to quickly mitigate vulnerabilities discovered in the future.

Specifically, I think it will be prudent to allow runtime configuration of the allowed TLS versions and the allowed cipher suites.

More information on the mentioned patch can be found here and information on the vulnerabilities can be found at https://www.openssl.org/blog/blog/2016/08/24/sweet32/ and https://access.redhat.com/articles/2548661

Answer 1 · 2020-08-22T00:53:32.000Z

Next week I'll remove the pyhton 2.6 fallback in sockapi.py (_tlsstartup function). I can add conf file param for ciphers, though other context options I'll leave coded in since those aren't strings... I expect the current ciphers are respectable as a continued default. It was going to be tls 1.3 only, but some environments weren't quite ready to go that far. By default the network socket doesn't activate, only if explicitly requested or collective life does it activate. The other major network channel is https, but in such case tls is delegated to Apache or nginx. Incidentally confluent 3.0 will have is deployment and everything is more hardened if there is interest in discussing.

…

________________________________ From: Neale Petrillo <notifications@github.com> Sent: Friday, August 21, 2020 6:48 PM To: xcat2/confluent <confluent@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: [External] [xcat2/confluent] Add TLS Configuration Options (#110) We recently discovered that our XCat 2.15 deployment using goconserver was susceptible to the SWEET32 attack due to hard coded TLS Cipher suites. While it doesn't look like confluent allows DES based ciphers, it made sense to me to request that confluent support configurable TLS options in order to quickly mitigate vulnerabilities discovered in the future. Specifically, I think it will be prudent to allow runtime configuration of the allowed TLS versions and the allowed cipher suites. More information on the mentioned patch can be found here<xcat2/goconserver#64> and information on the vulnerabilities can be found at https://www.openssl.org/blog/blog/2016/08/24/sweet32/ and https://access.redhat.com/articles/2548661 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#110>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACSQIGUCQNY6GDAA24BQQ2TSB32ULANCNFSM4QHXKNTA>.

Answer 2 · 2020-08-23T00:46:59.000Z

That sounds reasonable to me!

Answer 3 · 2020-08-26T14:48:51.000Z

4348d91

Has been added and will be possible to specify in 3.0.

Answer 4 · 2020-08-26T18:55:56.000Z

Closing as implemented, feel free to reopen or comment on further