Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to disable use of TLS version 1.0 #488

Closed
aye-aye-aye opened this issue Jan 23, 2020 · 4 comments · Fixed by #498
Closed

How to disable use of TLS version 1.0 #488

aye-aye-aye opened this issue Jan 23, 2020 · 4 comments · Fixed by #498
Labels
enhancement New feature or request

Comments

@aye-aye-aye
Copy link

Our tljh has been flagged for a few vulnerability issues in a recent Qualys scan. We'd like to disable use of TLS v1.0 and v1.1 and some legacy block ciphers.

From reading the docs, I think we have to adjust the settings in /opt/tljh/state/traefik.toml, but I can't get it to work when following the advice laid out here: https://docs.traefik.io/https/tls/#tls-options

We are using manual HTTPS with an existing self-signed key and cert as described here: http://tljh.jupyter.org/en/latest/howto/admin/https.html#manual-https-with-existing-key-and-certificate

Has anyone any advice on how to disable TLS v1.0-1, or set minimum version as v1.2?
@GeorgianaElena
Copy link
Member

Hey @aye-aye-aye! Thanks for reporting this issue.
At the moment, the TLS version is not configurable, but your use-case makes a lot of sense and I believe we should make it configurable.

Making the TLS version configurable will require to:

  • add tls options to the default config here (maybe even make TLS v1.2 be the default version)
  • read the tls options from the default config and add them to the traefik.toml template
  • add a test here
  • document how the TLS version can be changed using tljh-config set

Would be lovely if you could make a PR 💛 I'll be here to answer any questions.

@GeorgianaElena GeorgianaElena added the enhancement New feature or request label Jan 24, 2020
@betatim betatim changed the title Disable us of TLS version 1.0 How to disable use of TLS version 1.0 Jan 24, 2020
@yuvipanda
Copy link
Collaborator

I spent some time getting the z2jh Traefik HTTPS setup to be as good as possible, balancing secure HTTPS vs support for older clients. We should be able to just steal that code - https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/jupyterhub/templates/proxy/autohttps/configmap.yaml#L65. This requires we use traefik 2.0 however...

@yuvipanda
Copy link
Collaborator

I don't think we need to make TLS version configurable - we should just set up for what we count as good defaults, which in this case would use TLS 1.2 and disable some older versions...

@GeorgianaElena GeorgianaElena mentioned this issue Jan 31, 2020
Merged
@aye-aye-aye
Copy link
Author

Just as an FYI for anyone that may come across a similar issue, our VM team flagged us on use of an insecure cipher suite related to CVE-2016-2183 even after setting the minimum TLS version to v1.2, In our case we specified several suites in the traefik.toml config as a fix, e.g.

minVersion = "VersionTLS12"
  cipherSuites = [
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_RSA_WITH_AES_128_CBC_SHA",
    "TLS_RSA_WITH_AES_256_CBC_SHA"
  ]

@yuvipanda yuvipanda mentioned this issue Feb 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set tls 1.2 to be the min version GeorgianaElena/the-littlest-jupyterhub
3 participants
@yuvipanda @GeorgianaElena @aye-aye-aye