Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two risky cryptographic algorithms found #508

Closed
Charles1000Chen opened this issue Apr 30, 2024 · 4 comments · Fixed by #551
Closed

Two risky cryptographic algorithms found #508

Charles1000Chen opened this issue Apr 30, 2024 · 4 comments · Fixed by #551
Assignees
@andy-maier
Labels
area: code priority resolution: fixed rollback needed type: bug Something isn't working
Milestone
1.7.0

Comments

@Charles1000Chen
Copy link
Contributor

Describe the bug

The zhmc prometheus expoerter should not support any risky cryptographic algorithms.

Expected behavior
The two test items shoud be "OK" in testssh.sh test result.

To Reproduce
Test with testssl.sh, it will report the two issues in its test result.

Environment information

  • Output of zhmc_prometheus_exporter --version:
  • HMC version:

Command output

{
    "id"           : "cipher-tls1_2_xc028",
    "severity"     : "LOW",
    "finding"      : "TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
},{
    "id"           : "cipher-tls1_2_xc027",
    "severity"     : "LOW",
    "finding"      : "TLSv1.2   xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
}

Log file
<-- If possible, attach a log file generated with '--log-comp all=debug --log exporter.log'. -->
@andy-maier
Copy link
Member

andy-maier commented May 31, 2024
edited
Loading

Mu Chen, I assume this is on the Prometheus port of the exporter.

Can you please send me via Slack the credential files you used in the prometheus section of the exporter's credentials file?

@andy-maier andy-maier self-assigned this May 31, 2024
@andy-maier andy-maier added this to the 1.7.0 milestone May 31, 2024
@andy-maier andy-maier mentioned this issue May 31, 2024
Closed
@andy-maier
Copy link
Member

For info, this may be how to set ciphers: https://stackoverflow.com/a/34799338/1424462

@andy-maier
Copy link
Member

The two ciphers are CBC ciphers that are reported by testssl.sh:

LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

This was on macOS with:

  • Python 3.12.3
  • OpenSSL 3.3.0
  • testssl.sh 3.0.8

@andy-maier
Copy link
Member

Solved with PR #551 .

@andy-maier andy-maier linked a pull request Jul 29, 2024 that will close this issue
Using prometheus_client 0.20.0.post1 #551
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andy-maier andy-maier

Labels
area: code priority resolution: fixed rollback needed type: bug Something isn't working
Projects
None yet
Milestone
1.7.0
Development

Successfully merging a pull request may close this issue.

Using prometheus_client 0.20.0.post1 zhmcclient/zhmc-prometheus-exporter
2 participants
@andy-maier @Charles1000Chen