team-container
team-container copied to clipboard
Published
20 hours ago •
ct-Open-Source
ct-Open-Source
SSL weak ciphers
I've tested the traefik ciphers - weak ciphers are allowed - i would strongly recommend to change the default settings to disallow weak ciphers...
https://docs.traefik.io/https/tls/
I just added a new branch to test the new feature:
- there is a collection of default ciphers (A rating at https://www.ssllabs.com/ssltest/ )
- you can define your own set of ciphers by adding a list to
ciphers:in values.yaml.
You can see the code at 05-global-ingress.yaml
After some testing (please give some feedback) I will add it to master branch
I'm testing your feature-ssl branch. I would suggest to add more settings:
minVersion: VersionTLS12
maxVersion: VersionTLS13
# optional - very strict SNI
#sniStrict: true
curvePreferences:
- CurveP521
- CurveP384
- CurveP256
Please remove "- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" which is considerd to be weak.
Trying to apply your original template fails here:
❯ kubectl apply -f templates/ingress/05-global-ingress.yml
middleware.traefik.containo.us/global-redirect-http unchanged
ingressroute.traefik.containo.us/ingressroute-allredirect unchanged
error: error parsing templates/ingress/05-global-ingress.yml: error converting YAML to JSON: yaml: line 9: could not find expected ':'
This works fine:
❯ cat << EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
cipherSuites:
# a collection of secure cipher suites (tested with sslabs.com)
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_AES_128_GCM_SHA256"
- "TLS_AES_256_GCM_SHA384"
- "TLS_CHACHA20_POLY1305_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_FALLBACK_SCSV"
minVersion: VersionTLS12
maxVersion: VersionTLS13
curvePreferences:
- CurveP521
- CurveP384
- CurveP256
EOF