Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support TLS cipher suite whitelist or disable DES cipher suites #3826

Open
9547 opened this issue Jun 30, 2021 · 0 comments
Open

support TLS cipher suite whitelist or disable DES cipher suites #3826

9547 opened this issue Jun 30, 2021 · 0 comments
Labels
type/enhancement The issue or PR belongs to an enhancement.

Comments

@9547
Copy link
Contributor

9547 commented Jun 30, 2021

Feature Request

Describe your feature request related problem

I've deployed by TiDB cluster(with enable_tls: true) with TiUP, seems the TLS server has issues of The SWEET32 Issue, CVE-2016-2183 - OpenSSL Blog. Can we repair this CVE just to be on the safe side?

root@n3:/home/tidb/deploy# nmap -sV --script ssl-enum-ciphers -p 10080 n1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-06-30 03:16 UTC
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for n1 (172.19.0.101)
Host is up (0.00011s latency).
rDNS record for 172.19.0.101: tiup-cluster-n1.tiops

PORT      STATE SERVICE  VERSION
10080/tcp open  ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
MAC Address: 02:42:AC:13:00:65 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.73 seconds

Describe the feature you'd like

Describe alternatives you've considered

Teachability, Documentation, Adoption, Migration Strategy
@9547 9547 added the type/enhancement The issue or PR belongs to an enhancement. label Jun 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/enhancement The issue or PR belongs to an enhancement.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@9547