K
Q

Disable 3DES_EDE_CBC_SHA cipher in etcd Kubernetes

6/1/2021

while evaluating the network security using nmap on Kubernetes server, we noticed a warning as below

~]# nmap xxx.xx.xx.xx -p 6443 -sVC --script=ssl*

.
.
.
ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack

With bit of research got to know that TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C cipher suite is to support 64bit block SSL/TLS Handshake and the suggested solution is to disable the cipher option in Kubernetes etcd. please help me how to do it.

other views on this much appreciated, please let me know what is the better way to secure the environment.

-- Thribhuvan HRz
etcd
kubernetes
security
ssl
tls1.2

Similar Questions

Jupyterhub installation Hub Pod Pending state
How I can deploy superset on K8s using helm chart passing the superset_config.py values?
Kubernetes equivalent of Terraform modules and variables
helm install qliksense | secrets already exists Ask
error Back-off restarting failed container in nginx pod

1 Answer

6/1/2021

You can use the --cipher-suites CLI option to etcd. See https://etcd.io/docs/v3.4/op-guide/security/ for a summary of all their TLS config options. The default ciphers is based on the version of Go used to compile it.

-- coderanger
Source: StackOverflow