feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd#808
Merged
jimmidyson merged 2 commits intomainfrom Jul 17, 2024
Merged
feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd#808jimmidyson merged 2 commits intomainfrom
jimmidyson merged 2 commits intomainfrom
Conversation
jimmidyson
force-pushed
the
jimmi/tls-1.3
branch
from
31f229b to
b85d1ff
Compare
dkoshkin
approved these changes
Jul 16, 2024
Contributor
|
Does this affect FIPS compliance in any way? |
Member
Author
That is a good call out! And yes it does 😞 While go did upgrade BoringCrypto that supports TLS 1.3 in go 1.21.6, it was then reverted in subsequent versions including >go1.21.6 and go1.22 until the new version of BoringCrypto is approved by NIST. |
Member
Author
|
The motivation for this change was to mitigate against sweet32 due to vulnerable 3DES ciphers. In go1.23 3DES ciphers are disabled by default so this change will be unnecessary when etcd is built with go1.23. In the meantime, I will adopt the recommended ciphers in #806 by @tuxtof instead. I have checked they are all FIPS-compliant so this should work for both FIPS and non-FIPS deployments until TLS1.3 is supported in go FIPS. |
jimmidyson
force-pushed
the
jimmi/tls-1.3
branch
from
b85d1ff to
e94ca0b
Compare
jimmidyson
changed the title
This increases ootb security and provides STIG compliance for this area at least.
jimmidyson
force-pushed
the
jimmi/tls-1.3
branch
from
e94ca0b to
450e82c
Compare
dlipovetsky
reviewed
Jul 17, 2024
dlipovetsky
reviewed
Jul 17, 2024
faiq
approved these changes
Jul 17, 2024
Merged
jimmidyson
added a commit
that referenced
this pull request
Jul 18, 2024
🤖 I have created a release *beep* *boop* --- ## 0.13.0 (2024-07-18) <!-- Release notes generated using configuration in .github/release.yaml at main --> ## What's Changed ### Exciting New Features 🎉 * feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd by @jimmidyson in #808 * feat: Bump default k8s version for tests to v1.29.6 by @jimmidyson in #784 ### Fixes 🔧 * fix: add omitempty to addon strategy by @dkoshkin in #795 * fix: update CCM to 0.3.4 to fix sweet32 issue by @tuxtof in #805 * fix: Clean up MetalLB pod security standards labels by @jimmidyson in #807 * fix: Fix ownership of ClusterAutoscaler resources by @jimmidyson in #810 ### Other Changes * ci: Run e2e jobs only if unit-test, lint-*, and pre-commit jobs pass by @dlipovetsky in #796 * ci: Enable verbose output for e2e tests by @dlipovetsky in #797 * test: Verify ServiceLoadBalancer in e2e Docker and Nutanix tests by @dlipovetsky in #788 * refactor: Use CAPI conditions check where possible by @dlipovetsky in #789 * test(e2e): Use parallel tests for providers other than Docker by @jimmidyson in #787 ## New Contributors * @tuxtof made their first contribution in #805 **Full Changelog**: v0.12.1...v0.13.0 --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This increases ootb security and provides STIG compliance for
this area at least.
Fixes #806.