0fc573296d
Automatic merge from submit-queue Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable TLS1.0 is known as vulnerable since it can be downgraded to SSL https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/ TLS1.1 can be vulnerable if cipher RC4-SHA is used, and in Kubernetes it is, you can check it with ` openssl s_client -cipher RC4-SHA -connect apiserver.k8s.example.com:443 ` https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/ Test suites like Qualys are reporting this Kubernetes issue as a level 3 vulnerability, they recommend to upgrade to TLS1.2 that is not affected, quoting Qualys: ` RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, TLSv 1.2 or later address these issues. ` |
||
|---|---|---|
| .. | ||
| options | ||
| plugins.go | ||
| server_linux.go | ||
| server_test.go | ||
| server_unsupported.go | ||
| server.go | ||