Kubernetes Nginx Ingress Controller弱密码。

huangapple go评论72阅读模式
英文:

kubernetes nginx ingress controller weak ciphers

问题

使用Kubernetes Nginx Ingress控制器中的默认密码值显示有2个弱密码:
查看图片描述

我需要设置哪些值来替换这些弱密码?

英文:

Using the default cipher values in Kubernetes Nginx ingress controller shows that 2 ciphers are weak:
enter image description here

What are the values i need to set in order to replace the weak ciphers ?

答案1

得分: 1

让我们从更广泛的角度来看待这个问题。

所有TLS_RSA密码套件都被标记为WEAK,因为它们不提供前向保密性:如果私钥在将来被泄露,所有记录的流量都可以使用它解密。

唯一一个曾经实施过你列出的这两个密码套件的主要浏览器是Safari,而且自2015年以来,Safari一直支持GCM密码套件。
总的来说,任何不包含CHACHA20GCMCCM的密码套件现在都被标记为weakinsecure

你可以像下面这样替换它们:

  • ECDHE-RSA-AES256-SHA384 替换为 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ECDHE-RSA-AES128-SHA256 替换为 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

但根据这个来源

SSL Labs 使用橙色和文本WEAK来识别使用CBC的密码套件。这个变化对等级没有任何影响,因为它只意味着SSL Labs不鼓励进一步使用基于CBC的密码套件。

所有使用块加密链CBC的密码套件并不自动被标记为WEAK,但由于存在许多容易受到填充神谕攻击的实现,所以他们决定将它们全部标记为WEAK

另一个选项是完全删除这两个值,而是使用具有至少2048位密钥长度且使用GCM模式的DHE密码套件:DHE-RSA-AES256-GCM-SHA384DHE-RSA-AES128-GCM-SHA256

你也可以考虑完全删除它们,但实际上你不必这样做,因为你的实现没有被标记为易受新的Zombie Poodle和Goldendoddle漏洞的影响。只有易受这些漏洞影响的实现才会被评为F。

希望这对你有所帮助。

英文:

Let's look at this from a bigger picture.

All TLS_RSA ciphersuites have been marked as WEAK because they don't provide forward secrecy: if the private key gets compromised in the future, all recorded traffic can be decrypted using it.

The only major browser that ever implemented those two ciphersuites you listed is Safari, and Safari has supported GCM cipher suites since 2015.
In general, any cipher suite that doesn't say CHACHA20, GCM, or CCM is now marked as either weak or insecure.

You could replace them like below:

  • ECDHE-RSA-AES256-SHA384 to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ECDHE-RSA-AES128-SHA256 to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

but according to this source:

> SSL Labs identifies cipher suites using CBC with orange color and with
> text WEAK. This change won’t have any effect on the grades, as it only
> means that SSL Labs discourages the use of CBC-based cipher suites
> further.

All ciphersuites utilizing Cipher Block Chaining CBC aren't automatically WEAK, but there have been so many implementations vulnerable to padding oracle attacks that they have decided to mark them all as WEAK.

Another option would be to completely remove those two values and use DHE ciphersuites as long as they have key length of at least 2048 bits and use GCM mode: DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256.

You can also consider removing them completely but you actually don't have to because your implementation was not marked as vulnerable. Only implementations that are vulnerable to the new Zombie Poodle and Goldendoddle vulnerabilities will be graded F.

I hope it helps.

huangapple
  • 本文由 发表于 2020年1月7日 00:43:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/59615871.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定