feat: allow the use of insecure cipher suites if configured by user #492
Conversation
rsdmike
changed the title
| @@ -127,6 +127,13 @@ func NewWsman(cp Parameters) *Target { | |||
| config = res.tlsConfig | |||
| } else { | |||
| config = &tls.Config{InsecureSkipVerify: cp.SelfSignedAllowed} | |||
| if cp.AllowInsecureCipherSuites { | |||
There was a problem hiding this comment.
Could you please update the TLS version to VersionTLS12 and use a more specific list of insecure ciphers instead of tls.InsecureCipherSuites()?
I've tested these changes on AMT v12.0.92.2145 and v11.8.86, and they work as expected. Here's the updated code for reference:
if cp.AllowInsecureCipherSuites {
config.MinVersion = tls.VersionTLS12
for _, suite := range tls.CipherSuites() {
config.CipherSuites = append(config.CipherSuites, suite.ID)
}
// add specific insecure ciphers
insecureCiphers := []uint16{
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
}
config.CipherSuites = append(config.CipherSuites, insecureCiphers...)
}
There was a problem hiding this comment.
it didn't work with insecure ciphers? Those three are listed in the list: https://cs.opensource.google/go/go/+/refs/tags/go1.24.1:src/crypto/tls/cipher_suites.go;l=80
There was a problem hiding this comment.
It does work, but I noticed that legacy AMT versions only support these specific ciphers. The trade-off is between limiting insecure ciphers for compatibility versus your approach of adding all insecure ciphers, which reduces maintenance if a cipher is marked as insecure in the future.
I'm okay with adding all the insecure ciphers. Let me know your thoughts!
rsdmike
force-pushed
the
insecure
branch
2 times, most recently
from
3924259 to
73a56c6
Compare
if configured by user to support older devices. addresses device-management-toolkit/console#445
feat: allow the use of insecure cipher suits if configured by user to support older devices.
addresses device-management-toolkit/console#445