Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

support TLS cipher suite whitelist or disable DES cipher suites #3826

Open
9547 opened this issue Jun 30, 2021 · 0 comments
Open

support TLS cipher suite whitelist or disable DES cipher suites #3826

9547 opened this issue Jun 30, 2021 · 0 comments
Labels
type/enhancement The issue or PR belongs to an enhancement.

Comments

@9547
Copy link
Contributor

9547 commented Jun 30, 2021

Feature Request

Describe your feature request related problem

I've deployed by TiDB cluster(with enable_tls: true) with TiUP, seems the TLS server has issues of The SWEET32 Issue, CVE-2016-2183 - OpenSSL Blog. Can we repair this CVE just to be on the safe side?

root@n3:/home/tidb/deploy# nmap -sV --script ssl-enum-ciphers -p 10080 n1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-06-30 03:16 UTC
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for n1 (172.19.0.101)
Host is up (0.00011s latency).
rDNS record for 172.19.0.101: tiup-cluster-n1.tiops

PORT      STATE SERVICE  VERSION
10080/tcp open  ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
MAC Address: 02:42:AC:13:00:65 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.73 seconds

Describe the feature you'd like

Describe alternatives you've considered

Teachability, Documentation, Adoption, Migration Strategy
@9547 9547 added the type/enhancement The issue or PR belongs to an enhancement. label Jun 30, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
type/enhancement The issue or PR belongs to an enhancement.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@9547