Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitaf00177

Browse files
authored
fix!: removeTLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher by default (#13837)
This cipher is included by default in Go as a fallback, but is marked asan insecure cipher. This removes the 3des cipher by default.Before:```$ nmap --script ssl-enum-ciphers -p 443 xxxxxxxStarting Nmap 7.94 (https://nmap.org ) at 2024-07-08 14:16 CDTNmap scan report for xxxxx (xxx.xxx.xxx.xxx)Host is up (0.038s latency).rDNS record for xxx.xxx.xxx.xxx: xxx.xxx.xxx.xxx.bc.googleusercontent.comPORT STATE SERVICE443/tcp open https| ssl-enum-ciphers:| TLSv1.2:| ciphers:| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C| compressors:| NULL| cipher preference: server| warnings:| 64-bit block cipher 3DES vulnerable to SWEET32 attack| TLSv1.3:| ciphers:| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A| cipher preference: server|_ least strength: C```After:```$ nmap --script ssl-enum-ciphers -p 443 xxxxxxxStarting Nmap 7.94 (https://nmap.org ) at 2024-07-08 15:04 CDTNmap scan report for xxxxx (xxx.xxx.xxx.xxx)Host is up (0.039s latency).rDNS record for xxx.xxx.xxx.xxx: xxx.xxx.xxx.xxx.bc.googleusercontent.comPORT STATE SERVICE443/tcp open https| ssl-enum-ciphers:| TLSv1.2:| ciphers:| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A| compressors:| NULL| cipher preference: client| TLSv1.3:| ciphers:| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A| cipher preference: server|_ least strength: A```* fixup! fix!(cli): remove `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA` cipher by default* fixup! fix!(cli): remove `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA` cipher by default
1 parent879c61c commitaf00177

File tree

3 files changed

+43
-2
lines changed

3 files changed

+43
-2
lines changed

‎.github/workflows/typos.toml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,12 @@ darcula = "darcula"
1414
Hashi ="Hashi"
1515
trialer ="trialer"
1616
encrypter ="encrypter"
17-
hel ="hel"# as in helsinki
18-
pn ="pn"# this is used as proto node
17+
# as in helsinki
18+
hel ="hel"
19+
# this is used as proto node
20+
pn ="pn"
21+
# typos doesn't like the EDE in TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
22+
EDE ="EDE"
1923

2024
[files]
2125
extend-exclude = [

‎cli/server.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1569,6 +1569,19 @@ func generateSelfSignedCertificate() (*tls.Certificate, error) {
15691569
return&cert,nil
15701570
}
15711571

1572+
// defaultCipherSuites is a list of safe cipher suites that we default to. This
1573+
// is different from Golang's list of defaults, which unfortunately includes
1574+
// `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`.
1575+
vardefaultCipherSuites=func() []uint16 {
1576+
ret:= []uint16{}
1577+
1578+
for_,suite:=rangetls.CipherSuites() {
1579+
ret=append(ret,suite.ID)
1580+
}
1581+
1582+
returnret
1583+
}()
1584+
15721585
// configureServerTLS returns the TLS config used for the Coderd server
15731586
// connections to clients. A logger is passed in to allow printing warning
15741587
// messages that do not block startup.
@@ -1599,6 +1612,8 @@ func configureServerTLS(ctx context.Context, logger slog.Logger, tlsMinVersion,
15991612
returnnil,err
16001613
}
16011614
tlsConfig.CipherSuites=cipherIDs
1615+
}else {
1616+
tlsConfig.CipherSuites=defaultCipherSuites
16021617
}
16031618

16041619
switchtlsClientAuth {

‎cli/server_internal_test.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,28 @@ import (
2020
"github.com/coder/serpent"
2121
)
2222

23+
funcTest_configureServerTLS(t*testing.T) {
24+
t.Parallel()
25+
t.Run("DefaultNoInsecureCiphers",func(t*testing.T) {
26+
t.Parallel()
27+
logger:=slogtest.Make(t,nil)
28+
cfg,err:=configureServerTLS(context.Background(),logger,"tls12","none",nil,nil,"",nil,false)
29+
require.NoError(t,err)
30+
31+
require.NotEmpty(t,cfg)
32+
33+
insecureCiphers:=tls.InsecureCipherSuites()
34+
for_,cipher:=rangecfg.CipherSuites {
35+
for_,insecure:=rangeinsecureCiphers {
36+
ifcipher==insecure.ID {
37+
t.Logf("Insecure cipher found by default: %s",insecure.Name)
38+
t.Fail()
39+
}
40+
}
41+
}
42+
})
43+
}
44+
2345
funcTest_configureCipherSuites(t*testing.T) {
2446
t.Parallel()
2547

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp