client_python icon indicating copy to clipboard operation
client_python copied to clipboard
verified publisher icon prometheus

Removed CBC ciphers to address CVE-2013-0169 (LUCKY13)

Open andy-maier opened this issue 1 year ago • 2 comments

Details:

This change removes the following CBC ciphers from the default set of ciphers in order to address CVE-2013-0169 (LUCKY13):

  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256

This is done by listing them in the code, i.e. without any way to configure that by the user.

The LUCKY13 vulnerability was discovered using the testssl.sh tool. See also https://github.com/drwetter/testssl.sh/issues/2537

andy-maier avatar Jul 29 '24 14:07 andy-maier

If there is anything I can do in the PR for the failing CircleCI tests test-3.8 and test-3.9, let me know.

Update: Force-pushing the PR helped.

andy-maier avatar Jul 29 '24 14:07 andy-maier

@csmarchbanks I know. I don't like it either, but the big advantage of the provided HTTP server is that it is built-in, simple to use, and it works great, even for our exporters that can have large amounts of metrics.

And I think you don't need to worry about checking for such things yourself, as users will bring it up, and may even fix it, like in this PR.

andy-maier avatar Sep 28 '24 05:09 andy-maier