https://rancher.com/ logo
#k3s
Title
a

average-arm-20932

10/11/2022, 6:36 PM
Hello Team, During the scanning I found 'weak SSL ciphers', in k3s server, I'm using K3S version 'v1.21.1+k3s1'. I found an official WEB-URL to fix the issue and seems it is for 'Rancher-manager', but do we have any fix for K3S. For Rancher-Manager. https://www.suse.com/c/resolve-cipher-and-ssl-threats-security-scans/ Thanks & Regards.
c

creamy-pencil-82913

10/11/2022, 7:04 PM
what do you mean you found them “in k3s”. What and where exactly are you looking at?
a

average-arm-20932

10/11/2022, 7:16 PM
During the scanning it reported 'SSL Medium Strength Cipher Suites Supported (SWEET32)' https://www.tenable.com/plugins/nessus/42873
c

creamy-pencil-82913

10/11/2022, 7:56 PM
Detected it on what? You can see the cipher list right there. There are no 3DES ciphers in the list, or ones with 64-112 bit key lengths.
a

average-arm-20932

10/12/2022, 4:01 PM
I agree that it doesn't include 3DES in that list, however when I run the 'nmap' command from our client against the K3S server (10.234.83.225), and in the output it says about ' cipher preference: client warnings 64-bit block cipher 3DES vulnerable to SWEET32 attack' 10.234.83.225 is our K3S server. C:\Program Files (x86)\Nmap>nmap -sV --script ssl-enum-ciphers -p 443 10.234.83.225 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-12 15:12 India Standard Time NSOCK ERROR [0.0510s] ssl_init_helper(): OpenSSL legacy provider failed to load. Nmap scan report for 10.234.83.225 Host is up (0.34s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | cipher preference: client |_ least strength: C Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 39.18 seconds Is there a way that I can disabled the 'TLS 1.0 and 1.1' Thanks & Regards
c

creamy-pencil-82913

10/12/2022, 4:11 PM
K3s does not use port 443. K3s is on 6443. Are you perhaps scanning your Traefik ingress?
If so you’d want to look at your Traefik configuration.
a

average-arm-20932

10/12/2022, 4:13 PM
Yes, I'm using default Traefik ingress.
c

creamy-pencil-82913

10/12/2022, 5:56 PM
Yeah, so you’d want to look at the config for that
242 Views