Add option to set cluster TLS cipher suites.

[jefferai]

Fixes #3227

[briankassouf]

LGTM

[vishalnayak]

LGTM!

[dspit1664]

Our Nessus scan has identified ports 8000 and 8201 has allowing weak ciphers does Vault allow for us to select only more secure ?
I.e. Remove the ability to use RC4/3DES and only allow more secure ?

Here (port 25 I can handle but 8000 and 8201 I need your comment on)
42873 - SSL Medium Strength Cipher Suites Supported (42873) - Ports 25/8000/8201

[jefferai]

See the options at https://www.vaultproject.io/docs/configuration/listener/tcp.html

[dspit1664]

Ah yes thanks

[jefferai]

You aren't connecting to Vault...Vault is on port 8200 and you're nmapping port 8000.

…

On Thu, Mar 8, 2018 at 10:13 AM, dspit1664 ***@***.***> wrote: @jefferai <https://github.com/jefferai> Thanks for above - I've added the suite explicitly stating the ciphers to be used however when I use nmap still shows 1. tls 1.0 and 1.1 2. 3DES available Is there something I'm missing ? a) what does nmap still show my versions of tls1.0 and 1.1 when I explicitly state 1.2 b) I understand C is not good so why if I explicitly state the ciphers I want to use does it show ones I have not specified ? Here is my config - vault.cfg # backend "file" { # path = "/var/lib/vault" # } storage "s3" { access_key = "blahblah" secret_key = "Iamasecret" bucket = "vault-storage-staging" endpoint = "<S3 Storage>" } ##listener "tcp" { # address = "127.0.0.1:8200" # tls_disable = 1 #} disable_mlock=true # BEGIN ANSIBLE MANAGED BLOCK listener "tcp" { # address = "0.0.0.0:8201" tls_disable = false address = "127.0.0.1:8200" tls_cert_file = "/var/lib/vault/pki/root_cert.pem" tls_key_file = "/var/lib/vault/pki/root_key.pem" tls_min_version = "tls12" tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" } # END ANSIBLE MANAGED BLOCK and - my nmap response: ran nmap nmap --script ssl-enum-ciphers -p 8000 <IP removed> Starting Nmap 7.01 ( https://nmap.org ) at 2018-03-08 11:29 UTC Nmap scan report for <FQDN removed> (<IP removed>) Host is up (0.000044s latency). PORT STATE SERVICE 8000/tcp open http-alt | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server |_ least strength: C — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3228 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABv0827vVhPKs4SSb6Y4_C1wJGsXgLoks5tcUqpgaJpZM4PAH5n> .

[dspit1664]

Yes you are correct I realised that and is why I removed my post.
I was getting my Vault mixed up with my GoldFish
To clarify. We use GoldFish UI it is using 8000. I need to raise a enhancement request in GoldFish GHE which is not here :)

The remediation of the Nessus scan result for 8201 was fixed using your docs.

[petersutty]

is cluster_cipher_suites available in Vault v0.11.5 ('a59ffa4a0f09bbf198241fe6793a96722789b639') ?
I did not find cluster_cipher_suites in docs either and I can not make it work somehow, using hcl config:
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/etc/ssl/local/sy.com.crt"
tls_key_file = "/etc/ssl/local/s.com.key"
tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384"
tls_prefer_server_cipher_suites = "true"
}
storage "etcd" {
address = "http://127.0.0.1:2379"
etcd_api = "v3"
path = "vault/"
ha_enabled = "true"
}
api_addr = "https://10.99.4.62:8200"
cluster_addr = "https://10.99.4.62:8201"
cluster_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

any suggestions ?

[jefferai]

It should work. We have tests that verify it. How are you checking it?

[petersutty]

Hi Jeff, this is my config now: listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/etc/ssl/local/s.com.crt" tls_key_file = "/etc/ssl/local/s.com.key" tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" tls_prefer_server_cipher_suites = "true" cluster_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" } storage "etcd" { address = "http://127.0.0.1:2379" etcd_api = "v3" path = "vault/" ha_enabled = "true" } api_addr = "https://10.99.4.61:8200" cluster_addr = "https://10.99.4.61:8201" and when I test, I still see TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: nmap -sV --script ssl-enum-ciphers -p 8201 spvault01 Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-22 11:18 CET Nmap scan report for spvault01 (10.99.4.61) Host is up (0.031s latency). PORT STATE SERVICE VERSION 8201/tcp open ssl/trivnet2? | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp521r1) - A | compressors: | NULL | cipher preference: client |_ least strength: A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 43.48 seconds

…

On Wed, Nov 21, 2018 at 3:59 PM Jeff Mitchell ***@***.***> wrote: It should work. We have tests that verify it. How are you checking it? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#3228 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADtpLeKMsz_pMMeogjZ3wki9w4wJalPwks5uxWo-gaJpZM4PAH5n> .

[petersutty]

Hi Jeff, all good here now. Thanks for support - I did not find it in the docs, that's is why I didn't put it into listner options. Regards, Peter

…

On Thu, Nov 22, 2018 at 11:23 AM Peter Sutty ***@***.***> wrote: Hi Jeff, this is my config now: listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/etc/ssl/local/s.com.crt" tls_key_file = "/etc/ssl/local/s.com.key" tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" tls_prefer_server_cipher_suites = "true" cluster_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384" } storage "etcd" { address = "http://127.0.0.1:2379" etcd_api = "v3" path = "vault/" ha_enabled = "true" } api_addr = "https://10.99.4.61:8200" cluster_addr = "https://10.99.4.61:8201" and when I test, I still see TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: nmap -sV --script ssl-enum-ciphers -p 8201 spvault01 Starting Nmap 7.60 ( https://nmap.org ) at 2018-11-22 11:18 CET Nmap scan report for spvault01 (10.99.4.61) Host is up (0.031s latency). PORT STATE SERVICE VERSION 8201/tcp open ssl/trivnet2? | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp521r1) - A | compressors: | NULL | cipher preference: client |_ least strength: A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 43.48 seconds On Wed, Nov 21, 2018 at 3:59 PM Jeff Mitchell ***@***.***> wrote: > It should work. We have tests that verify it. How are you checking it? > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <#3228 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/ADtpLeKMsz_pMMeogjZ3wki9w4wJalPwks5uxWo-gaJpZM4PAH5n> > . >