Vault 0.9.1 Cluster Cipher Suites

[Destiny Harrell]

Hi! I have a Vault cluster running version 0.9.1.  I am trying to restrict the cipher suite to a subset of the available ciphers for both the client listener and the cluster listener.

I see the client listener options in the documentation and I was able to get that to work. https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cipher_suites

But I don't see anything in the documentation for the cluster listener. This GitHub pull request that was merged in 0.8.2 that makes it seem like this should work: https://github.com/hashicorp/vault/pull/3228.

Any help here would be amazing!

My HCL file looks like:

backend "consul" {

  address = "localhost:8501"

  scheme = "https"

  advertise_addr = "https://10.104.16.78:8200/"

  path = "vault/"

  token = "<REDACTED>"

  service_tags = "https"

  tls_ca_file = "/test/ca-bundle.pem"

}

listener "tcp" {

 address = "0.0.0.0:8200"

 tls_cert_file="/test/vault/vault.crt"

 tls_key_file="/test/vault/vault.key"

 tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

}

cluster_cipher_suites ="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

max_lease_ttl = "175200h"

disable_mlock = true

I am using the testssl.sh tool (https://testssl.sh/) to test this. 

I was able to successfully restrict the cipher suite on the client listener:

became this:

But the cluster listener settings didn't seem to work.

still looks like:

[Jeff Mitchell]

Hi there,

Can you run your test using an ALPN of req_fw_sb-act_v1 ?

Thanks,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/01110e37-2203-497f-9f6c-eadbeed89dd2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Destiny Harrell]

Thank you for the response Jeff.

Unfortunately, I do not understand your question.

To run the test using an ALPN of req_fw_sb-act_vi should I add/change a setting in the vault.hcl file?

Or are you asking me to use a different tool to run the test?

[Jeff Mitchell]

Hi there,

ALPN is a TLS extension that allows for protocol selection during the TLS handshake. We use a custom ALPN for our cluster connections because they can operate in various modes -- this lets us reuse the cluster port for many different types of connections without having to then either run a custom protocol to wrap the underlying type or using different listeners/ports. Depending on the ALPN used we use customize the cipher suite. So what's likely happening is that your tool is not using the right ALPN so it's making a connection using Go's default ciphers, the result of which will be an error -- this connection is useless, from a Vault perspective, because Vault will not do anything over the cluster port without the right ALPN. An actual cluster connection using the right ALPN should have the configured cipher suite.

Best,

Jeff

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9b846a70-1fed-43e4-a297-f2f6ec5ffffc%40googlegroups.com.

[Destiny Harrell]

I know that it has been a while since I responded to this thread. We have been working to try to specify the ALPN on our testing tool, but have not had any luck. Is there any way to have that port support a subset of ciphers regardless of whether an ALPN is provided or not? 

On Saturday, April 6, 2019 at 1:37:53 PM UTC-4, Jeff Mitchell wrote:

Hi there,

ALPN is a TLS extension that allows for protocol selection during the TLS handshake. We use a custom ALPN for our cluster connections because they can operate in various modes -- this lets us reuse the cluster port for many different types of connections without having to then either run a custom protocol to wrap the underlying type or using different listeners/ports. Depending on the ALPN used we use customize the cipher suite. So what's likely happening is that your tool is not using the right ALPN so it's making a connection using Go's default ciphers, the result of which will be an error -- this connection is useless, from a Vault perspective, because Vault will not do anything over the cluster port without the right ALPN. An actual cluster connection using the right ALPN should have the configured cipher suite.

Best,

Jeff

On Fri, Mar 29, 2019 at 11:08 PM Destiny Harrell <dharr...@gmail.com> wrote:

Thank you for the response Jeff.

Unfortunately, I do not understand your question.

To run the test using an ALPN of req_fw_sb-act_vi should I add/change a setting in the vault.hcl file?

Or are you asking me to use a different tool to run the test?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Jeff Mitchell]

Hi Destiny,

Unfortunately, I don't think we'll make that change. Given that there is no security issue here (the cluster port isn't used for anything without an ALPN selecting the protocol and then cipher suites) this becomes too much of a single-purpose change that doesn't have any applicability outside of your specific testing tool -- and if your testing tool is updated to support selecting ALPN then it's won't be applicable to you any more either.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f0f2f146-fcae-4075-880c-798b1132437c%40googlegroups.com.