I attempted to add the Cipher Suites using your guidelines. But still, the traefik is using default Cipher Suites. In my domains, this might lead to a security problem.
64-bit block cipher 3DES vulnerable to SWEET32 attack
Forward Secrecy not supported by any cipher
Hello,
I think you are the authors of the issues:
I will answer based on the content of these issues.
2022/09/06 07:43:53 command traefik error: field not found, node: cipherSuites 2022/09/06 07:44:14 command traefik error: field not found, node: minVersion
The tls section has been placed inside the static configuration file but this section must be a part of the dynamic configuration
Also, the syntax is incomplete.
The right syntax:
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
Doc about cipher-suites
Hello, I added the same thing you described, however the warning is still appearing.
TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Forward Secrecy not supported by any cipher
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Forward Secrecy not supported by any cipher
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Forward Secrecy not supported by any cipher
|_ least strength: C
Could you please help me to resolve the same?
traefik.toml
[global]
sendAnonymousUsage = false
[serversTransport]
insecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.http.redirections.entryPoint]
to = "https"
scheme = "https"
[entryPoints.http.forwardedHeaders]
insecure = true
[entryPoints.https]
address = ":443"
[entryPoints.https.forwardedHeaders]
insecure = true
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[providers]
providersThrottleDuration = "2s"
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
[providers.file]
filename = "/rules.toml"
[log]
level = "DEBUG"
filePath = "/var/log/traefik/service.log"
[accessLog]
bufferingSize = 100
filePath = "/var/log/traefik/access.log"
[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = ""
storage = "acme.json"
[certificatesResolvers.default.acme.httpChallenge]
entryPoint = "HTTP"
You placed the tls section inside the static configuration file but this section must be a part of the dynamic configuration
Read my previous message in detail
Hi,
Actually, I've updated the traefik.toml file with the tls entries. I realized that this is not the correct file in which to put the tls entry. I mapped the domain and middleware using the rules.toml file. If you share the right file, which adds the TLS entry, it will be very helpful for me.
You have to move the tls section from traefik.toml to rules.toml.
Thanks for the information.Just add the tls entry to the rules.toml file's top. Right?
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
I forget the last ], so the configuration is:
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
]
Thanks @ldez The issue has been resolved.
I have to make HSTS active. The following entries have been added to the rules.toml file, however, they are not active.
traefik.frontend.headers.STSSeconds: "31536000"
traefik.frontend.headers.STSIncludeSubdomains: "true"
traefik.frontend.headers.STSPreload: "true"
Also, tried this one.
[http.middlewares]
[http.middlewares.middleware1.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.security-headers.headers]
BrowserXssFilter = true
ContentTypeNosniff = true
ForceSTSHeader = true
FrameDeny = true
SSLRedirect = true
STSIncludeSubdomains = true
STSPreload = true
STSSeconds = 315360000
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.