https://rancher.com/ logo
Title
r

rich-zoo-49735

06/15/2022, 5:19 PM
Has anyone had any luck configuring specific cipher suites for traefik v1 in K3s? The default list of ciphers includes
TLS_RSA_WITH_3DES_EDE_CBC_SHA
which comes with this security warning:
64-bit block cipher 3DES vulnerable to SWEET32 attack
. By setting the list of ciphers in HelmChartConfig, checking my ciphers with
nmap
comes back with nothing, instead of an expected list of ciphers. No errors in traefik logs. This is my HelmChartConfig:
apiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ssl:
      enabled: true
      tlsMinVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
k3s version v1.20.13+k3s1 (b8a1f455)
c

creamy-pencil-82913

06/15/2022, 6:17 PM
that should work as far as I can tell, but both Traefik v1 and Kubernetes 1.20 are end of support so there probably aren’t too many folks poking at that any more.
🎯 1
The last version of the v1 chart we shipped was v1.81, so the values might be different than what you’re using? https://github.com/helm/charts/blob/eb09d8d77b15dc214781c7a1cb1e1d343812bd9a/stable/traefik/values.yaml
hmm no, looks like it’s still ssl.cipherSuites
r

rich-zoo-49735

06/15/2022, 6:39 PM
Thanks for the 👀 Brad. We’re working on the move to k8s 1.21 and traefik v2 soon, so hopefully setting a custom set of ciphers goes more smoothly with that version.
c

creamy-pencil-82913

06/15/2022, 6:40 PM
in the mean time I would probably just go look at what the chart is doing - see what the resulting config looks like in the cluster
r

rich-zoo-49735

06/15/2022, 6:41 PM
The resulting config looks good as far as I can tell:
kubectl -n kube-system get cm traefik -o yaml
apiVersion: v1
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.tls]
          minVersion = "VersionTLS12"
          cipherSuites = [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
          ]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
          ...
c

creamy-pencil-82913

06/15/2022, 6:43 PM
can you hit the pod directly and get a TLS response?
r

rich-zoo-49735

06/15/2022, 7:05 PM
Looks like yes:
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
c

creamy-pencil-82913

06/15/2022, 7:07 PM
might be something with the service then? Is it passing health checks? Do you see the pod IP in the endpoints list for the service?
r

rich-zoo-49735

06/15/2022, 7:10 PM
Checks passing, traefik pod IP is present in the traefik load balancer service endpoints list 👍
c

creamy-pencil-82913

06/15/2022, 7:33 PM
hmm. You just can’t hit it on the node port?