Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: define strict TLS 1.2 cipher suite default #10304

Closed
hexfusion opened this issue Dec 5, 2018 · 4 comments
Closed

*: define strict TLS 1.2 cipher suite default #10304

hexfusion opened this issue Dec 5, 2018 · 4 comments
Assignees
@hexfusion
Labels
area/security area/tls stage/tracked

Comments

@hexfusion
Copy link
Contributor

etcd 3.4 should set a strict and secure default cipher list. Since the current etcd default list is what is defined by Go and the fact that etcd binaries can exist in the wild for a long time. To minimize future exposure to insecure ciphers we should set this default to a strict set based on the best knowledge we have at the time. As this list is subject to change we should review and update this list on a regular basis.

I think Mozilla modern is a good place to start and would enforce TLS 1.2 .

https://github.com/mozilla/server-side-tls/blob/5bfa79352c8e6e0324962be792d803ec666fa6fc/ssl-config-generator/index.html#L185

As of today this would include.

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256'

Looking for input on why we should not enforce TLS 1.2 by default for etcd 3.4.

ref: #8320
@hexfusion hexfusion added this to the etcd-v3.4 milestone Dec 5, 2018
@jingyih
Copy link
Contributor

jingyih commented Feb 25, 2019

/cc @wenjiaswe

@gyuho gyuho modified the milestones: etcd-v3.4, etcd-v3.5 Aug 5, 2019
@gyuho
Copy link
Contributor

gyuho commented Aug 5, 2019

@hexfusion Moving to 3.5

@hexfusion hexfusion self-assigned this Aug 5, 2019
@rifelpet rifelpet mentioned this issue Aug 2, 2020
Closed
@superseb superseb mentioned this issue Feb 4, 2021
Closed
@gyuho gyuho mentioned this issue Mar 20, 2021
Closed
@smira smira mentioned this issue Jun 18, 2021
Merged
7 tasks
@serathius serathius removed this from the etcd-v3.5 milestone Dec 15, 2021
@jmhbnz
Copy link
Member

jmhbnz commented Aug 25, 2023

Hey @serathius, @ahrtr - Now that we have #15156 merged and --tls-min-version 'TLS1.2' as default in v3.6 and backported to both v3.5 and v3.4 release branches can we close this issue or am I missing something that still needs to be done?

@jmhbnz
Copy link
Member

jmhbnz commented Aug 30, 2023

Closing as I believe we have this covered now. Happy to re-open if I am missing something.

@jmhbnz jmhbnz closed this as completed Aug 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hexfusion hexfusion

Labels
area/security area/tls stage/tracked
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hexfusion @serathius @gyuho @jingyih @jmhbnz