Nidhin
September 7, 2022, 10:50am
1
I attempted to add the Cipher Suites using your guidelines. But still, the traefik is using default Cipher Suites. In my domains, this might lead to a security problem.
64-bit block cipher 3DES vulnerable to SWEET32 attack
Forward Secrecy not supported by any cipher
ldez
September 7, 2022, 11:02am
2
Hello,
I think you are the authors of the issues:
I will answer based on the content of these issues.
2022/09/06 07:43:53 command traefik error: field not found, node: cipherSuites
2022/09/06 07:44:14 command traefik error: field not found, node: minVersion
The tls
section has been placed inside the static configuration file but this section must be a part of the dynamic configuration
Also, the syntax is incomplete.
The right syntax:
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
Doc about cipher-suites
Nidhin
September 7, 2022, 11:10am
3
Hello, I added the same thing you described, however the warning is still appearing.
TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Forward Secrecy not supported by any cipher
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Forward Secrecy not supported by any cipher
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Forward Secrecy not supported by any cipher
|_ least strength: C
Could you please help me to resolve the same?
traefik.toml
[global]
sendAnonymousUsage = false
[serversTransport]
insecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.http.redirections.entryPoint]
to = "https"
scheme = "https"
[entryPoints.http.forwardedHeaders]
insecure = true
[entryPoints.https]
address = ":443"
[entryPoints.https.forwardedHeaders]
insecure = true
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
[providers]
providersThrottleDuration = "2s"
[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
[providers.file]
filename = "/rules.toml"
[log]
level = "DEBUG"
filePath = "/var/log/traefik/service.log"
[accessLog]
bufferingSize = 100
filePath = "/var/log/traefik/access.log"
[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = ""
storage = "acme.json"
[certificatesResolvers.default.acme.httpChallenge]
entryPoint = "HTTP"
ldez
September 7, 2022, 1:24pm
4
You placed the tls
section inside the static configuration file but this section must be a part of the dynamic configuration
Read my previous message in detail
Nidhin
September 10, 2022, 5:19am
5
Hi,
Actually, I've updated the traefik.toml file with the tls entries. I realized that this is not the correct file in which to put the tls entry. I mapped the domain and middleware using the rules.toml file. If you share the right file, which adds the TLS entry, it will be very helpful for me.
ldez
September 10, 2022, 8:41am
6
You have to move the tls
section from traefik.toml
to rules.toml
.
Nidhin
September 11, 2022, 7:23am
7
Thanks for the information.Just add the tls entry to the rules.toml file's top. Right?
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
ldez
September 11, 2022, 8:03am
8
I forget the last ]
, so the configuration is:
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
]
Nidhin
September 12, 2022, 6:06am
9
Thanks @ldez The issue has been resolved.
I have to make HSTS active. The following entries have been added to the rules.toml file, however, they are not active.
traefik.frontend.headers.STSSeconds: "31536000"
traefik.frontend.headers.STSIncludeSubdomains: "true"
traefik.frontend.headers.STSPreload: "true"
Nidhin
September 12, 2022, 6:45am
10
Also, tried this one.
[http.middlewares]
[http.middlewares.middleware1.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.security-headers.headers]
BrowserXssFilter = true
ContentTypeNosniff = true
ForceSTSHeader = true
FrameDeny = true
SSLRedirect = true
STSIncludeSubdomains = true
STSPreload = true
STSSeconds = 315360000
system
Closed
September 15, 2022, 6:45am
11
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.