SWEET32 mitigation: Disable Triple-DES

[tiran]

Triple-DES (3DES-CBC, DES-CBC3) should no longer be used. It's an old
and slow block cipher with an effective key size of 112 bits. Since 3DES is
build around DES, it has a block size of 64 bits. 64 bit block ciphers
are vulnerable to a birthday attack known as SWEET32.

Since Origin requires a minimum TLS version of 1.2, 3DES can be disabled
safely. All relevant TLS 1.2 clients support AES.

Signed-off-by: Christian Heimes cheimes@redhat.com

[enj]

@openshift/security

[enj]

LGTM but I will defer to @liggitt for final review

[liggitt]

I don't mind dropping these, but I'd like to leave commented out breadcrumbs explaining why we're not including things from the intermediate suite and why, e.g.

// tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // forbidden by http/2, disabled to mitigate SWEET32 attack
// tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,       // forbidden by http/2, disabled to mitigate SWEET32 attack

[tiran]

That's a very good idea. I have updated my PR.

[liggitt]

/lgtm
/approve no-issue
/retest

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tiran

Associated issue requirement bypassed by: liggitt

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/cmd/OWNERS [liggitt]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 15434, 15382, 15018, 15314, 15400)