Vulnerable ciphers are not disabled even after configuration changes

Solution Verified - Updated -

Issue

  • How to disable the use of DES based cipher suites.
  • An internal vulnerability assessment discover a potential problem with etcd port 2379 and port 2380 on master node because support connection using cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA.
  • We are able to see that the vulnerable cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA is still active on port 2379 (ETCD).
  • etcd, as installed in OpenShift, currently has no mechanism for disabling weaker TLS ciphers.

Environment

  • OpenShift Container Platform 3.9
  • etcd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content