cmd/skipper: allow exclusion of insecure cipher suites #3123
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3f15358 to
006701f
Compare
| @@ -219,6 +219,9 @@ type Config struct { | |||
| // TLS version | |||
| TLSMinVersion string `yaml:"tls-min-version"` | |||
|
|
|||
| // Exclude insecure cipher suites | |||
| ExcludeInsecureCipherSuites bool `yaml:"exclude-insecure-cipher-suites"` | |||
There was a problem hiding this comment.
Do we want to exclude from a default set or rather enumerate allowed?
There was a problem hiding this comment.
It might be worthy of a discussion. I've updated the description with the options considered to allow for secure cipher suites.
I don't have a strong preference and went with the one requiring less maintenance.
There was a problem hiding this comment.
So if Go stdlib adds more "secure" ciphers than nobody needs to do anything and it will deployed automatically as a side effect.
This is good because likely Go stdlib will include only more secure cipher suites and not less secure ones.
The bad thing is for people that have regulations like FIPS, which may or may not be up to date with secure cipher suite definitions.
Right now I have no opinion on which one is better, but maybe rather to say we should have also an allow list or an exclude list for giving the user a choice based on their needs.
There was a problem hiding this comment.
I'd favor having an optional allow list for that case, since it's likely one would want to be specific about what's allowed.
There was a problem hiding this comment.
I think we should start with a single boolean flag to disable insecure suites and then add a list flag if we even find a need for it.
435cece to
8bc94a6
Compare
f00d3c1 to
a6576ac
Compare
szuecs
reviewed
Jun 24, 2024
a6576ac to
5fae448
Compare
91c6432 to
0364193
Compare
0364193 to
57863a2
Compare
|
👍 |
Golang maintains a list of cipher suites considered insecure, which are still allowed if requested. This flag will allow those cipher suites to be completely excluded. Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
57863a2 to
fcad0f0
Compare
|
👍 |
|
@szuecs @AlexanderYastrebov any chance we can get this merged? We're looking to solve some security issues by deploying this change. |
|
👍 |
|
Thanks for your contribution! |
MustafaSaber
added a commit
to zalando-incubator/kubernetes-on-aws
that referenced
this pull request
Jun 27, 2024
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122 * build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124 * build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125 * Facilitate OPA decision correlation with business flows: zalando/skipper#3041 * config: fix defaultFiltersFlags.String: zalando/skipper#3127 * config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128 * filters/auth: add token validator filter: zalando/skipper#3126 * metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129 * cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123 diff zalando/skipper@v0.21.124...v0.21.133
MustafaSaber
added a commit
to zalando-incubator/kubernetes-on-aws
that referenced
this pull request
Jun 27, 2024
…-version skipper: update canary version to v0.21.133 * build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122 * build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124 * build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125 * Facilitate OPA decision correlation with business flows: zalando/skipper#3041 * config: fix defaultFiltersFlags.String: zalando/skipper#3127 * config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128 * filters/auth: add token validator filter: zalando/skipper#3126 * metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129 * cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123 diff zalando/skipper@v0.21.124...v0.21.133
MustafaSaber
added a commit
to zalando-incubator/kubernetes-on-aws
that referenced
this pull request
Jun 27, 2024
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122 * build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124 * build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125 * Facilitate OPA decision correlation with business flows: zalando/skipper#3041 * config: fix defaultFiltersFlags.String: zalando/skipper#3127 * config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128 * filters/auth: add token validator filter: zalando/skipper#3126 * metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129 * cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123 diff zalando/skipper@v0.21.124...v0.21.133 depends on #7757
MustafaSaber
added a commit
to zalando-incubator/kubernetes-on-aws
that referenced
this pull request
Jun 27, 2024
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122 * build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124 * build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125 * Facilitate OPA decision correlation with business flows: zalando/skipper#3041 * config: fix defaultFiltersFlags.String: zalando/skipper#3127 * config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128 * filters/auth: add token validator filter: zalando/skipper#3126 * metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129 * cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123 diff zalando/skipper@v0.21.124...v0.21.133 depends on #7757
MustafaSaber
added a commit
to zalando-incubator/kubernetes-on-aws
that referenced
this pull request
Jul 2, 2024
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122 * build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124 * build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125 * Facilitate OPA decision correlation with business flows: zalando/skipper#3041 * config: fix defaultFiltersFlags.String: zalando/skipper#3127 * config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128 * filters/auth: add token validator filter: zalando/skipper#3126 * metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129 * cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123 * Revert "Facilitate OPA decision correlation with business flows (#3041)": zalando/skipper#3138 * build(deps): bump docker/build-push-action from 6.1.0 to 6.2.0: zalando/skipper#3134 * dependabot: group GoLang dependencies update: zalando/skipper#3136 * build(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.66.0: zalando/skipper#3135 * build(deps): bump amazonlinux from `b0016cb` to `5bf7910` in /fuzz: zalando/skipper#3133 * metrics: refactor prometheus metric registration: zalando/skipper#3132 diff zalando/skipper@v0.21.124...v0.21.139 depends on #7786
MustafaSaber
added a commit
to zalando-incubator/kubernetes-on-aws
that referenced
this pull request
Jul 2, 2024
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122 * build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124 * build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125 * Facilitate OPA decision correlation with business flows: zalando/skipper#3041 * config: fix defaultFiltersFlags.String: zalando/skipper#3127 * config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128 * filters/auth: add token validator filter: zalando/skipper#3126 * metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129 * cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123 * Revert "Facilitate OPA decision correlation with business flows (#3041)": zalando/skipper#3138 * build(deps): bump docker/build-push-action from 6.1.0 to 6.2.0: zalando/skipper#3134 * dependabot: group GoLang dependencies update: zalando/skipper#3136 * build(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.66.0: zalando/skipper#3135 * build(deps): bump amazonlinux from `b0016cb` to `5bf7910` in /fuzz: zalando/skipper#3133 * metrics: refactor prometheus metric registration: zalando/skipper#3132 diff zalando/skipper@v0.21.124...v0.21.139 depends on #7786
MustafaSaber
added a commit
to zalando-incubator/kubernetes-on-aws
that referenced
this pull request
Jul 2, 2024
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122 * build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124 * build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125 * Facilitate OPA decision correlation with business flows: zalando/skipper#3041 * config: fix defaultFiltersFlags.String: zalando/skipper#3127 * config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128 * filters/auth: add token validator filter: zalando/skipper#3126 * metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129 * cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123 * Revert "Facilitate OPA decision correlation with business flows (#3041)": zalando/skipper#3138 * build(deps): bump docker/build-push-action from 6.1.0 to 6.2.0: zalando/skipper#3134 * dependabot: group GoLang dependencies update: zalando/skipper#3136 * build(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.66.0: zalando/skipper#3135 * build(deps): bump amazonlinux from `b0016cb` to `5bf7910` in /fuzz: zalando/skipper#3133 * metrics: refactor prometheus metric registration: zalando/skipper#3132 diff zalando/skipper@v0.21.124...v0.21.139 depends on #7786
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Golang maintains a list of cipher suites considered insecure, which are still allowed if requested. This flag will allow those cipher suites to be completely excluded.
Options considered:
Use a list of allowed cipher suites
This may need some maintenance over time as cipher suites are updated, introduced or deprecated.
Exclude used cipher suites based on name
Less maintenance overhead than maintaining desired list of cipher suites, excluding the ones not desired would also require some maintenance overtime as cipher suites are considered insecure.
Exclude known insecure cipher suites
Using golang's list of InsecureCipherSuites reducing maintenance overhead by allowing list to be maintained by golang.
Fixes #3121