Skip to content

health endpoint ciphers could do with tightening up #400

New issue
New issue
Open
Open
health endpoint ciphers could do with tightening up#400
@thelangley

Description

@thelangley
thelangley
opened on Apr 3, 2024

Is this a security vulnerability?

Kinda. SHA1 shouldn't be used really

Issue

Relatively recently health endpoint has been secured so it's accessible over 443. Think a one liner bit of config / configurable could be created which could tighten security and make it pass a security scan.

Affected Versions

Any versions that have the healthz endpoint served over 443. We use v0.293.0

Context

Internal security have scanned and said that the data is being served over vulnerable ciphers

Traffic Diagram

Not applicable

Steps to Reproduce

nmap -sV --script ssl-enum-ciphers -p 443 tcp-router-address

Expected result

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A

Current result

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

Possible Fix

We could add a line to haproxy.conf.erb#L7C49-L8C1

ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM

Additional Context

Could even make it configurable so that particular companies can harden according to their own best practices.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    Application Runtime Platform Working Group

    Status

    Inbox

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions