How to disable two cipherSuites and TLS1.1 without breaking GRPC

Traefik Traefik v2 (latest)
1

I'm trying to disable TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suites
I came across https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/user-guides/crd-acme/05-tlsoption.yml
but if I use this, GRPC stops working, so been playing around with different "cipher"s ... I been unable to find a complete list of cipher supported by traefik, so tested things that "looked" like a correct cipher but without any luck

So this is how far I got, but no luck with getting GRPC to work

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default
spec:
  minVersion: VersionTLS12
  cipherSuites:
  # GRPC uses: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
  # ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 is speceficly mentioned many places
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3

    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    - TLS_RSA_WITH_AES_256_GCM_SHA384

  # USing any of these will instantly "crash" traefik with errors about this being an invalid cipher Suites
  #   # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384
  #   # - ECDHE-RSA-AES128-GCM-SHA256
  #   # - ECDHE-RSA-AES256-GCM-SHA384
  #   # - ECDHE-RSA-CHACHA20-POLY1305
  #   # - ECDHE-RSA-AES128-SHA
  #   # - ECDHE-RSA-AES256-SHA
  #   # - AES128-GCM-SHA256
  #   # - AES256-GCM-SHA384
  #   # - AES128-SHA
  #   # - AES256-SHA
  curvePreferences:
    - CurveP521
    - CurveP384
  alpnProtocols:
    - http/1.1
    - h2
  sniStrict: true

If i simply use

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default
spec:
  minVersion: VersionTLS12

then GRPC works, but then TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA is still enabled and there for vulnerable for SWEET32

Does anyone have a working kind: TLSOption that disables TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA but still allows GRPC trafic ?

1 Like
2

Maybe check in the Traefik TLS cipher source code.

1 Like
3

Perfect, thank you ... not sure why google wouldn't lead me there.

4

Hmm, still no luck ... I added all ciphers and it's still does not work, GRPC still fails with

E0221 21:22:33.338520282  358566 ssl_transport_security.cc:1501]       Handshake failed with fatal error SSL_ERROR_SSL: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE.

but if i leave out "cipherSuites" from below, it works ... but then the bad ciphers is also active

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default
spec:
#  minVersion: VersionTLS12
  cipherSuites:
  # GRPC uses: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
  # ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 is speceficly mentioned many places
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3

    - TLS_RSA_WITH_RC4_128_SHA
    - TLS_RSA_WITH_3DES_EDE_CBC_SHA
    - TLS_RSA_WITH_AES_128_CBC_SHA
    - TLS_RSA_WITH_AES_256_CBC_SHA
    - TLS_RSA_WITH_AES_128_CBC_SHA256
    - TLS_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    - TLS_ECDHE_RSA_WITH_RC4_128_SHA
    - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV

  curvePreferences:
    - CurveP521
    - CurveP384
  alpnProtocols:
    - http/1.1
    - h2
  sniStrict: true
5

After trying a ton of combinations, i finally made it work ...
The documentation on this sucks big time ...

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default
spec:
  minVersion: VersionTLS12
  cipherSuites:
  # GRPC uses: ECDHE-ECDSA-AES128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
  # ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 is speceficly mentioned many places
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3

    # - TLS_RSA_WITH_RC4_128_SHA              # TLS 1.0 / TLS 1.1 / TLS 1.2 / INSECURE
    # - TLS_RSA_WITH_3DES_EDE_CBC_SHA         # SWEET32 
    # - TLS_RSA_WITH_AES_128_CBC_SHA          # TLS 1.0 / TLS 1.1 / TLS 1.2 / weak
    # - TLS_RSA_WITH_AES_256_CBC_SHA          # TLS 1.0 / TLS 1.1 / TLS 1.2 / weak
    # - TLS_RSA_WITH_AES_128_CBC_SHA256       # TLS 1.0 / TLS 1.1 / TLS 1.2 / weak
    # - TLS_RSA_WITH_AES_128_GCM_SHA256         # TLS 1.2 / Weak
    # - TLS_RSA_WITH_AES_256_GCM_SHA384         # TLS 1.2 / Weak
    # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA      # weak
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    # - TLS_ECDHE_RSA_WITH_RC4_128_SHA         # TLS 1.0 / TLS 1.1 / TLS 1.2 / INSECURE
    # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA    # SWEET32 
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     # TLS 1.0 / TLS 1.1 / TLS 1.2
    # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA     # TLS 1.0 / TLS 1.1 / TLS 1.2
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  # TLS 1.0 / TLS 1.1 / TLS 1.2 / wwak
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    # TLS 1.2
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 # TLS 1.2
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV

  # curvePreferences:
  #   - CurveP521
  #   - CurveP384
  alpnProtocols:
    - http/1.1
    - h2
  # sniStrict: true
1 Like
6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.