rich-zoo-49735
06/15/2022, 5:19 PMTLS_RSA_WITH_3DES_EDE_CBC_SHA
which comes with this security warning: 64-bit block cipher 3DES vulnerable to SWEET32 attack
.
By setting the list of ciphers in HelmChartConfig, checking my ciphers with nmap
comes back with nothing, instead of an expected list of ciphers. No errors in traefik logs.
This is my HelmChartConfig:
apiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ssl:
enabled: true
tlsMinVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
k3s version v1.20.13+k3s1 (b8a1f455)creamy-pencil-82913
06/15/2022, 6:17 PMrich-zoo-49735
06/15/2022, 6:39 PMcreamy-pencil-82913
06/15/2022, 6:40 PMrich-zoo-49735
06/15/2022, 6:41 PMkubectl -n kube-system get cm traefik -o yaml
apiVersion: v1
data:
traefik.toml: |
# traefik.toml
logLevel = "info"
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
...
creamy-pencil-82913
06/15/2022, 6:43 PMrich-zoo-49735
06/15/2022, 7:05 PM* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
creamy-pencil-82913
06/15/2022, 7:07 PMrich-zoo-49735
06/15/2022, 7:10 PMcreamy-pencil-82913
06/15/2022, 7:33 PM