在 etcd Kubernetes 中禁用 3DES_EDE_CBC_SHA 密码
[英]Disable 3DES_EDE_CBC_SHA cipher in etcd Kubernetes
问题描述
while evaluating the network security using nmap on Kubernetes server, we noticed a warning as below
在 Kubernetes 服务器上使用 nmap 评估网络安全时,我们注意到如下警告
~]# nmap xxx.xx.xx.xx -p 6443 -sVC --script=ssl* ~]# nmap xxx.xx.xx.xx -p 6443 -sVC --script=ssl*
.
.
.
ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
With bit of research got to know that TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C cipher suite is to support 64bit block SSL/TLS Handshake and the suggested solution is to disable the cipher option in Kubernetes etcd.通过一些研究了解到TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C密码套件支持 64 位块 SSL/TLS 握手,建议的解决方案是禁用 Z30136395F01879792198317C118 等中的密码选项。 please help me how to do it.请帮我怎么做。
other views on this much appreciated, please let me know what is the better way to secure the environment.对此非常感谢其他意见,请让我知道保护环境的更好方法是什么。
1 个解决方案
解决方案1
3 2021-06-01 19:57:13
You can use the --cipher-suites CLI option to etcd.您可以对 etcd 使用--cipher-suites CLI 选项。 See https://etcd.io/docs/v3.4/op-guide/security/ for a summary of all their TLS config options.有关所有 TLS 配置选项的摘要,请参阅https://etcd.io/docs/v3.4/op-guide/security/ 。 The default ciphers is based on the version of Go used to compile it.默认密码基于用于编译它的 Go 版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.