Vulnerable ciphers are not disabled even after configuration changes

Solution Verified - Updated -

Issue

  • How to disable the use of DES based cipher suites.
  • An internal vulnerability assessment discover a potential problem with etcd port 2379 and port 2380 on master node because support connection using cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA.
  • We are able to see that the vulnerable cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA is still active on port 2379 (ETCD).
  • etcd, as installed in OpenShift, currently has no mechanism for disabling weaker TLS ciphers.

Environment

  • OpenShift Container Platform 3.9
  • etcd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In