-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configurable control plane mTLS version and cipher settings #13138
Comments
Do we need this configurable? Can we simply disable all well known weak cipher / protocols? |
@diemtvu We could change the sidecar to TLS 1.2 but that might break some legacy application (no sidecar) that only supports TLS 1.0 or 1.1. Also I think from the nmap output, none of the ciphers is weak in a well known way. The other option, instead of introducing the helm config, is to introduce a global security setting CRD, which could be used to specify the TLS version and cipher list for the sidecar in the mesh. (The same CRD also has some use cases for RBAC) |
This, plus
As mentioned above, I don't believe any of the Envoy defaults are known to be weak. The requirement to configure this is mainly governance / regulatory related rather than technical. As an example, TLS 1.0 is deprecated by PCI DSS. |
I've attempted this and it didn't seem to work. However, I may be doing something wrong. Does the version of Envoy Istio is built on even support setting the min TLS version? |
Are there any estimates to make this feature implemented? |
This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
The suggestion from @rdkr to also include an option for configuring ciphers would be perfect. I'm currently seeing this flagged by our internal security scans. |
This is supported on networking/v1alpha3/gateway.proto with three parameters per #8804 I would suggest the same three parameters for peer mTLS config as well. Min and max TLS version support would make sense for version change scenarios where sidecars may be heterogeneous during upgrade window. |
Noting that the policy bot has kicked in, FWIW, I would also be keen to see something happen in this area 👍 |
Is it possible to re-open this issue? |
I think possibility to disable weak cipher / protocols is essential. Is it really hard to implement this feature? |
It is desirable to control control-plane (envoy or otherwise) and mTLS. It also appears that the gateway configuration does not apply when PASSTHROUGH mode is used (which supports mTLS, so I guess that's the crux of the problem). |
subscribe - our users also indicate the desire to configure TLS version from 1.2 to 1.3. |
We now set default to
|
Where is this specified and/or what was the PR? |
PR #27500 |
Ignore my above message - that is for workload mTLS while this is for control plane TLS. |
FYI: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA WEAK In fact I enumerated the endpoint myself and found two additional ciphers that cause the SWEET32 vulnerability:
|
any update on how can i get rid of weak cipher? |
I think this is actually supported, @hzxuzhonghu fixed it in #31705. though not intentional for this. # after setting flag with value "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA"
nmap --script ssl-enum-ciphers -p 15012 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-26 22:16 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
PORT STATE SERVICE
15012/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Forward Secrecy not supported by any cipher
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds |
maybe the action item is just to add some FAQ in https://istio.io/latest/docs/ops/common-problems/security-issues/ section for discoverability. |
Describe the feature request
Currently it looks like there are no settings applied or configurable for Envoy's TLS min version / max version / cipher suites for control plane mTLS. For example, Pilot discovery on port 15011 with mTLS enabled:
For security and compliance I would like to restrict what versions of TLS are used throughout Istio.
Describe alternatives you've considered
I believe overwriting the config files in my own image to include the TLS parameters, such as in https://github.com/istio/istio/blob/1.1.2/pilot/docker/envoy_pilot.yaml.tmpl#L204, would allow me to set these, however it would be preferable to set them through config.
Additional context
This is currently possible for some parts of Istio, such as gateway configuration. There are a few closed issues I have found which are relevant to these components, but none seem to directly address the control plane components:
The text was updated successfully, but these errors were encountered: