[PMM-8468] Forbid the use of outdated ciphers for HTTPS protocol on exporters - Percona JIRA

XML

Word

Printable

Details

Type: Improvement
Status: Done
Priority: Medium
Resolution: Fixed
Affects Version/s: 2.15.1
Fix Version/s: 2.20.0
Component/s: PMM Client, PMM Server
Labels:
- security

Story Points:
1
Needs Review:
Yes
Needs QA:
Yes
Needs Doc:
Yes
Platform Team:
C/S Core

Description

Apparently the CBC cipher is considered vulnerable to LUCKY13 attack.

PMM is 2.15.1, deployed on Docker.

Suggested implementation:

Remove CBC ciphers from https://github.com/percona/exporter_shared/blob/master/server.go#L107

Update and then release all exporters which uses exporter_shared library.

}}{{CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
        },

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Corrado Pandiani

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Jul/21 7:46 PM

Updated:: 07/Aug/21 11:56 AM

Resolved:: 20/Jul/21 7:47 PM