https://netmaker.org logo
Join Discord
Powered by
I have a default Docker install (compose) and jus...
# server
o
I have a default Docker install (compose) and just updated to 0.17.1. My Nessus scanner is reporting a sweet32 vulnerability on the SSL connection on 443 since it's using 3DES encryption. I don't see any GH Issues or doc info on changing/upgrading the cipher/encryption used for that connection. Has anyone encountered the warning on a scanner and has info on resolving it? I'm not sure of any real impact here, but for a VPN server I want to try and resolve if possible. https://sweet32.info/
j
It looks like this vulnerability is a pretty low severity. It would also apply to the Caddy proxy that netmaker uses, as opposed to on Netmaker itself, so the issue would need to go on the Caddy GH if anything. However, it looks like there are some options for modifying how Caddy configures certificates: https://stanislas.blog/2018/11/improve-caddy-https-tls-configuration/
b
It probably is the default cipher selection of caddy.
It was already reported there @orange-cartoon-10314 I don't think it needs to be reported there again
j
based on the ticket looks like the weak ciphers should have been removed years ago...wondering why those are still popping up
b
Yeah you are right - sorry.
But I just spun up a caddy:2.6.2 container with a bare minimum config (localhost \n return "Hello World") and cannot reproduce the issue. I tested the configuration with sslscan and testssl.sh and an old-openssl 🤷‍♂️
j
good to know there isn't a new vulnerability to watch out for 😅
o
I don't think I'm using Caddy - I have Traefik - unless Caddy is running in the NM image?
might explain why the new install you spun up does not show it
j
ahh yes that would do it
o
Nessus has it as a HIGH @7.5 and it is very old (2016).
just something that seems it would be fixed by now
I'll check Traefik's issues
Ugh - Traefik seems to be more than I bargained for. anyone have a tip on how to set the dynamic settings to set the cypher options? Not sure if I need to use a volume and yaml file on docker-compose or use a label - can't find clear docs on the label to set...
b
Don't worry, I bit into some tables with the traefik docs as well
when I used netmaker with traefik I set up my tls config all through a dynamic configuration file and mounted it into the container
o
rules.yml?
I see reference to that but no real samples only references
the docs on GH point to a GO command/config
b
Copy code
ansible@wolke: sudo cat dynamic.yml
tls:
  options:
    default:
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  certificates:
    # first certificate
    - certFile: /ssl/fullchain.pem
      keyFile: /ssl/privkey.pem
Copy code
version: "3.0"
services:
  traefik:
    image: traefik:v2.9
    ports:
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./dynamic.yml:/etc/traefik/dynamic.yml
      - ./traefik.yml:/etc/traefik/traefik.yml
      - /opt/ssl/:/ssl:ro
o
ahh nice thank you very much - I exec'd into the container and did not see the etc/traefik dir so guess it's only there if spec'd
b
check here for the tls entrypiont
o
thanks - this should help me apply my own wildcard certs then right?
b
probably, yes
o
SSLLabs is still reporting the insecure cyphers - so not sure that worked - I'll keep reading the docs.
@brainy-tent-31736 thanks for your help. I finally found the right docker-compose settings to get things set. Now have A+ score and no more insecure ciphers.
b
🙏
🫡
2 Views
PreviousNext
Powered by