Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traefik suddenly offers SSLv3 #5335

Closed
SISheogorath opened this issue Sep 10, 2019 · 5 comments

Comments

@SISheogorath
Copy link

commented Sep 10, 2019

Do you want to request a feature or report a bug?

Bug

Did you try using a 1.7.x configuration for the version 2.0?

  • Yes
  • No

What did you do?

I updated from 1.7.13 to version 1.7.14 of Traefik. Then run a TLS check (https://www.ssllabs.com/ssltest/) and suddenly got a rating downgrade from A+ of B.

What did you expect to see?

I expected to see my original A+ rating to continue to be A+ due to secure defaults.

image

What did you see instead?

Rating went down from A+ to B because Traefik suddenly starts to support SSLv3.

image

Output of traefik version: (What version of Traefik are you using?)

$ docker run --rm traefik:v1.7.14 version
Version:      v1.7.14
Codename:     maroilles
Go version:   go1.12.8
Built:        2019-08-14_09:46:58AM
OS/Arch:      linux/amd64
$ docker run --rm traefik:v1.7.13 version
Version:      v1.7.13
Codename:     maroilles
Go version:   go1.11.12
Built:        2019-08-08_04:46:14PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

version: '2'
services:
  proxy:
    image: traefik:v1.7.14
    cpu_shares: 3072
    mem_limit: 256mb
    memswap_limit: 512mb
    read_only: true
    depends_on:
      - dockersocket
    security_opt:
      - label=level:s0:c100

    ports:
    - "80:80"
    - "443:443"

    volumes:
    - "/var/srv/traefik/acme:/etc/traefik/acme"

    command: "-c /dev/null --docker --docker.endpoint=tcp://dockersocket:2375 --acme --acme.email=<redacted> --acme.storage=/etc/traefik/acme/acme.json --acme.entryPoint=https --acme.onhostrule --acme.dnsprovider=cloudflare --acme.dnschallenge --entryPoints='Name:http Address::80 Redirect.EntryPoint:https' --entryPoints='Name:https Address::443 Compress:true TLS' --defaultentrypoints=http,https --docker.exposedbydefault=false --insecureskipverify=true"

I don't use an additional toml file for configuration.

I have an idea where it might comes from:
989a59c

At least this seems to be the latest change to the TLS code which might lead to autodetected SSLv3 support? As there is a cipher overlap between TLS1.0 and SSLv3 around TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Additional hint: I verified that just by changing the image version back to 1.7.13 the rating went back to A+ and SSLv3 was disabled.

@dtomcej

This comment has been minimized.

Copy link
Member

commented Sep 10, 2019

Note that the constants in question are detailed in:

https://golang.org/pkg/crypto/tls/#pkg-constants

But more of note:

https://golang.org/doc/go1.13#crypto/tls

SSLv3 was always disabled by default, other than in Go 1.12,
when it was mistakenly enabled by default server-side.
It is now again disabled by default. (SSLv3 was never supported client-side.)

😢

and the fix:

golang/go#33837

@dtomcej

This comment has been minimized.

Copy link
Member

commented Sep 10, 2019

Thanks @SISheogorath for this report, we will work on getting this resolved ASAP.

@SISheogorath

This comment has been minimized.

Copy link
Author

commented Sep 10, 2019

Thanks! In the meanwhile I was able to help myself with this patch:

https://git.shivering-isles.com/shivering-isles/infrastructure/commit/624f7809af6e86152e82694811970e2e655fa5e1

(Adding TLS.minVersion:VersionTLS10)

@dtomcej

This comment has been minimized.

Copy link
Member

commented Sep 10, 2019

Cool. That was essentially what I was going to suggest you try, and was going to be my avenue for a patch.

Good to know that it will work.

@dtomcej dtomcej referenced this issue Sep 11, 2019
2 of 2 tasks complete

@traefiker traefiker added this to the 1.7 milestone Sep 12, 2019

@traefiker traefiker closed this Sep 12, 2019

@traefiker

This comment has been minimized.

Copy link

commented Sep 12, 2019

Closed by #5356.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.