Etcd Snaps

Unable to remove weak TLS ciphers

Bug #1970993 reported by Chris Johnston on 2022-04-29

260

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Etcd Charm	Fix Released	High	Chris Johnston	Etcd Charm 1.24+ck1
Etcd Snaps	Invalid	Undecided	Unassigned
Kubernetes Control Plane Charm	Fix Released	High	Nobuto Murata	Kubernetes Control Plane Charm 1.24+ck1

Bug Description

etcd as provided by the snap and charm utilized the default TLS ciphers as provided by Go. This currently allows for weak ciphers to still be used by default (TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA [1]). This was discussed in depth in an issue upstream [2], in which a change has been made to allow for passing `--cipher-suites` to override the defaults provided by Go.

With this, the snap and the charm should be updated to support a user defined cipher-suites config option which is then passed on to the snap.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
[2] https://github.com/etcd-io/etcd/issues/8320

See original description

Chris Johnston (cjohnston) on 2022-04-29

description:

updated

Chris Johnston (cjohnston) on 2022-05-05

information type:

Public → Public Security

Revision history for this message

Chris Johnston (cjohnston) wrote on 2022-05-19:

PR: https://github.com/charmed-kubernetes/layer-etcd/pull/197

Changed in etcd-snaps:
status:	New → Invalid
Changed in charm-etcd:
status:	New → In Progress
assignee:	nobody → Chris Johnston (cjohnston)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2022-05-20:

Can the charm take "secure by default" approach? For example in OpenStack charms, Apache2's default is ignored, but the charms are following Mozilla's Intermediate level cipher list in:
https://ssl-config.mozilla.org/

Chris Johnston (cjohnston) on 2022-05-20

Changed in charm-etcd:
status:	In Progress → Fix Committed

George Kraft (cynerva) on 2022-05-23

Changed in charm-etcd:
milestone:	none → 1.24+ck1

Revision history for this message

Nobuto Murata (nobuto) wrote on 2022-05-25:

Follow-up PR to have a limited set of ciphers out of the box.
https://github.com/charmed-kubernetes/layer-etcd/pull/198 (merged)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2022-05-25:

Can we do the same for the k8s-control-plane charm? The cipher list can be hardened technically using "api-extra-args", but would be nice it's hardened out of the box.

[default]

> Testing cipher categories
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) not offered (OK)
> Export ciphers (w/o ADH+NULL) not offered (OK)
> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
> Triple DES Ciphers / IDEA offered
> Obsoleted CBC ciphers (AES, ARIA etc.) offered
> Strong encryption (AEAD ciphers) with no FS offered (OK)
> Forward Secrecy strong encryption (AEAD ciphers) offered (OK)

[with explicit list]

$ juju config -m k8s-on-openstack kubernetes-control-plane api-extra-args
tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

> Testing cipher categories
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) not offered (OK)
> Export ciphers (w/o ADH+NULL) not offered (OK)
> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
> Triple DES Ciphers / IDEA not offered
> Obsoleted CBC ciphers (AES, ARIA etc.) not offered
> Strong encryption (AEAD ciphers) with no FS not offered
> Forward Secrecy strong encryption (AEAD ciphers) offered (OK)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2022-05-25:

k8s-control-plane_default.html Edit (21.6 KiB, text/html)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2022-05-25:

report_intermediate_ciphers.html Edit (19.0 KiB, text/html)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2022-05-29:

https://github.com/charmed-kubernetes/charm-kubernetes-control-plane/pull/228

Revision history for this message

Nobuto Murata (nobuto) wrote on 2022-05-30:

Subscribing ~field-medium for a PR review:
https://github.com/charmed-kubernetes/charm-kubernetes-control-plane/pull/228

Nobuto Murata (nobuto) on 2022-05-31

Changed in charm-kubernetes-master:
status:	New → Fix Committed
assignee:	nobody → Nobuto Murata (nobuto)

George Kraft (cynerva) on 2022-05-31

Changed in charm-kubernetes-master:
milestone:	none → 1.24+ck1
tags:	added: backport-needed
Changed in charm-etcd:
importance:	Undecided → High
Changed in charm-kubernetes-master:
importance:	Undecided → High

Adam Dyess (addyess) on 2022-08-01

tags:

removed: backport-needed

Adam Dyess (addyess) on 2022-08-04

Changed in charm-etcd:
status:	Fix Committed → Fix Released

Adam Dyess (addyess) on 2022-08-04

Changed in charm-kubernetes-master:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.