dex/cmd at c41035732f9622dfc004341fe20f19e2e4ec132c - mystiq/dex

This repository has been archived on 2022-08-17. You can view files and clone it, but cannot push or open issues or pull requests.

History

Steven Danna 46f48b33a1 Use a more conservative set of CipherSuites The default cipher suites used by Go include a number of ciphers that have known weaknesses. In addition to leaving users open to these weaknesses, the inclusion of these weaker ciphers causes problems with various automated scanning tools. This PR disables the CBC-mode, RC4, and 3DES ciphers included in the Go standard library by passing an explicit cipher suite list. The ciphers included here are more line with those recommended by Mozilla for "Intermediate" compatibility. [0] Performance Implications The Go standard library does capability-based cipher ordering, preferring AES ciphers if the underlying hardware has AES specific instructions. [1] Since all of the relevant code is internal modules, to do the same thing ourselves would require duplicating that code. Here, I've placed AES based ciphers first. Compatibility Implications This does reduce the number of clients who will be able to communicate with dex. [0] https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&hsts=false&ocsp=false [1] `a8c2e5c6ad/src/crypto/tls/common.go (L1091)` Signed-off-by: Steven Danna <steve@chef.io>	2019-08-31 17:34:55 +01:00
..
dex	Use a more conservative set of CipherSuites	2019-08-31 17:34:55 +01:00
example-app	cmd/example-app: check all errors, pass claims as string to renderToken	2019-07-24 12:26:51 +02:00

Steven Danna 46f48b33a1

Use a more conservative set of CipherSuites

The default cipher suites used by Go include a number of ciphers that
have known weaknesses. In addition to leaving users open to these
weaknesses, the inclusion of these weaker ciphers causes problems with
various automated scanning tools.

This PR disables the CBC-mode, RC4, and 3DES ciphers included in the
Go standard library by passing an explicit cipher suite list.

The ciphers included here are more line with those recommended by
Mozilla for "Intermediate" compatibility. [0]

*Performance Implications*

The Go standard library does capability-based cipher ordering,
preferring AES ciphers if the underlying hardware has AES specific
instructions. [1] Since all of the relevant code is internal modules,
to do the same thing ourselves would require duplicating that
code. Here, I've placed AES based ciphers first.

*Compatibility Implications*

This does reduce the number of clients who will be able to communicate
with dex.

[0] https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&hsts=false&ocsp=false
[1] a8c2e5c6ad/src/crypto/tls/common.go (L1091)

Signed-off-by: Steven Danna <steve@chef.io>

2019-08-31 17:34:55 +01:00

dex Use a more conservative set of CipherSuites 2019-08-31 17:34:55 +01:00

example-app cmd/example-app: check all errors, pass claims as string to renderToken 2019-07-24 12:26:51 +02:00