Prevent TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
Our recent VA report shows that there are TLS/SSL Birthday attacks on 64-bit block ciphers possible on Kubernetes etcd
ports.
Suggested solution is Configure the server to disable support for 3DES suite.
Our problems are :
- How to disable support for 3DES suite?
- How this configuration will affect to our running Kubernetes services?
- How to Configure the server to disable support for static key cipher suites?
Here suggest a way to access only API server to access, but I dont understand how to apply it for running kubernetes instance.
Any help, suggestions will be greatly appreciated.Also note, I am not an expert net admin.
Download script fix [LINK] Download script fix [LINK 2] Download script fix [LINK 2]The cipher suites can be set via cipher-suites parameter:
$ etcd \ --cipher-suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
According to here thoses cipher suites should be secure.
Download the fix file