Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

health endpoint ciphers could do with tightening up #400

Open
thelangley opened this issue Apr 3, 2024 · 1 comment
Open

health endpoint ciphers could do with tightening up #400

thelangley opened this issue Apr 3, 2024 · 1 comment

Comments

@thelangley
Copy link

Is this a security vulnerability?

Kinda. SHA1 shouldn't be used really

Issue

Relatively recently health endpoint has been secured so it's accessible over 443. Think a one liner bit of config / configurable could be created which could tighten security and make it pass a security scan.

Affected Versions

Any versions that have the healthz endpoint served over 443. We use v0.293.0

Context

Internal security have scanned and said that the data is being served over vulnerable ciphers

Traffic Diagram

Not applicable

Steps to Reproduce

nmap -sV --script ssl-enum-ciphers -p 443 tcp-router-address

Expected result

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A

Current result

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

Possible Fix

We could add a line to haproxy.conf.erb#L7C49-L8C1

ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM

Additional Context

Could even make it configurable so that particular companies can harden according to their own best practices.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Application Runtime Platform Working Group
Status: Inbox
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thelangley