Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Remove weak cipher DHE-RSA-AES128-SHA #103

Merged
merged 1 commit into from
Jan 23, 2017
Merged

Remove weak cipher DHE-RSA-AES128-SHA #103

merged 1 commit into from
Jan 23, 2017

Conversation

basgys
Copy link

@basgys basgys commented Aug 19, 2016

I noticed that this docker image is shipped with a weak cipher "DHE-RSA-AES128-SHA" (aka TLS_DHE_RSA_WITH_AES_128_CBC_SHA). That lower the grade to B on https://www.ssllabs.com/ssltest, which would be A otherwise.

Is there a good reason to keep it?

@PuKoren
Copy link
Contributor

PuKoren commented Aug 29, 2016
edited
Loading

I guess some old Android phones requires it: https://developer.android.com/reference/javax/net/ssl/SSLEngine.html

I think settings are good this way, having a better compatibility using defaults, since you can override it using ENV if you want better security at the price of users not being able to load your website

@basgys
Copy link
Author

basgys commented Aug 31, 2016
edited
Loading

@PuKoren Indeed, old devices require it. However, shouldn't this image be safe rather than backward compatible with very old OS? As you said, ENV variable can override it anyway, so wouldn't it be better for docker images to have a white list approach rather than blacklist? Because people who use images trust the authors to make it as secure as possible.

It is a matter of philosophy, so I can accept to have my PR rejected. At least I'd have raised this issue. :)

@PuKoren
Copy link
Contributor

PuKoren commented Sep 1, 2016

@basgys you are right it's a good point and it should be noted in the README so everyone can be aware of it. Providing a sample in the README to be secure or compatible would be a nice addition to your PR imo.

I have no opinion personally as long as it is documented (and I am also not a maintainer, I was raising my opinion as a heavy user of this container, I would be surprised to have compat broken over an update)

@basgys
Copy link
Author

basgys commented Sep 1, 2016

@PuKoren That is not really breaking backward compatibility, because the behaviour remains the same. It can be seen as a security update.

I'd be happy to add a note on the README if maintainers like the idea.

@LoungeFlyZ
Copy link

I am surprised this cipher is enabled by default honestly. We have been running it for a number of months without realizing and when I found out a couple of days ago we certainly removed it as soon as possible.

I would certainly vote for secure by default. Even at the expense of a possible compat issue vs. an older release.

@tifayuki tifayuki changed the base branch from master to staging January 23, 2017 23:10
@tifayuki tifayuki merged commit 094b550 into docker-archive:staging Jan 23, 2017
@tifayuki
Copy link
Contributor

Merged into staging.

Thank you:)

tifayuki pushed a commit that referenced this pull request Feb 15, 2017
v1.6.3 (#166)
0014a80 
* Adds option for turning off basic auth for selected services (#154)

* Allow a service to be configured as failover for another service in the same backend (#120)

* Added support for hot-failover mode

* Updated README

* Add ability to pass hashed password credentials to HAproxy. (#107)

* Remove DHE-RSA-AES128-SHA from SSL_BIND_CIPHERS (#103)

* fixed tests error by PRs

* do not return haproxy ingress network (#160)

* fix the error introduced by EXCLUDE_BASIC_AUTH

* bump version
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@basgys @PuKoren @LoungeFlyZ @tifayuki