Vulnerable ciphers are not disabled even after configuration changes
Issue
- How to disable the use of DES based cipher suites.
- An internal vulnerability assessment discover a potential problem with etcd port 2379 and port 2380 on master node because support connection using cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA.
- We are able to see that the vulnerable cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA is still active on port 2379 (ETCD).
- etcd, as installed in OpenShift, currently has no mechanism for disabling weaker TLS ciphers.
Environment
- OpenShift Container Platform 3.9
- etcd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.