Hello Team, During the scanning I found 'weak SSL ciphers', in k3s server, I'm using K3S version 'v1.21.1+k3s1'. I found an official WEB-URL to fix the issue and seems it is for 'Rancher-manager', but do we have any fix for K3S. For Rancher-Manager. https://www.suse.com/c/resolve-cipher-and-ssl-threats-security-scans/ Thanks & Regards.

what do you mean you found them “in k3s”. What and where exactly are you looking at?

During the scanning it reported 'SSL Medium Strength Cipher Suites Supported (SWEET32)' https://www.tenable.com/plugins/nessus/42873

Detected it on what? You can see the cipher list right there. There are no 3DES ciphers in the list, or ones with 64-112 bit key lengths.

I agree that it doesn't include 3DES in that list, however when I run the 'nmap' command from our client against the K3S server (10.234.83.225), and in the output it says about ' cipher preference: client warnings 64-bit block cipher 3DES vulnerable to SWEET32 attack' 10.234.83.225 is our K3S server. C:\Program Files (x86)\Nmap>nmap -sV --script ssl-enum-ciphers -p 443 10.234.83.225 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-12 15:12 India Standard Time NSOCK ERROR [0.0510s] ssl_init_helper(): OpenSSL legacy provider failed to load. Nmap scan report for 10.234.83.225 Host is up (0.34s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | cipher preference: client |_ least strength: C Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 39.18 seconds Is there a way that I can disabled the 'TLS 1.0 and 1.1' Thanks & Regards

K3s does not use port 443. K3s is on 6443. Are you perhaps scanning your Traefik ingress?

Yes, I'm using default Traefik ingress.

Yeah, so you’d want to look at the config for that