Prevent TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

Our recent VA report shows that there are TLS/SSL Birthday attacks on 64-bit block ciphers possible on Kubernetes etcd ports.

Suggested solution is Configure the server to disable support for 3DES suite.

Our problems are :

  • How to disable support for 3DES suite?
  • How this configuration will affect to our running Kubernetes services?
  • How to Configure the server to disable support for static key cipher suites?

Here suggest a way to access only API server to access, but I dont understand how to apply it for running kubernetes instance.

Any help, suggestions will be greatly appreciated.Also note, I am not an expert net admin.

Download script fix [LINK]
Download script fix [LINK 2]
Download script fix [LINK 2]
Vice Professor Asked on October 26, 2020 in centos.
Add Comment
1 Answer(s)

The cipher suites can be set via cipher-suites parameter:

$ etcd \   --cipher-suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

According to here thoses cipher suites should be secure.

Download the fix file
Vice Professor Answered on October 26, 2020.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.