Consul servers need certificates in order to securely communicate with clients and other servers in the cluster, which is addressed here. There are times where you need to check the ciphers server certificates are using to verify any cipher suite vulnerabilities such as SWEET32.
Using nmap to check ciphers
nmap is a very helpful network scanner, but it also can be used to check ciphers.
sudo nmap --script ssl-enum-ciphers -p 8300 <Consul server IP address>
- Port 8300 is used to connect to the server.
Output:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-02 13:17 EDT
Nmap scan report for <Consul server IP address>
Host is up (0.00049s latency).
PORT STATE SERVICE
8300/tcp open tmi
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
- nmap repeatedly initiates SSLv3/TLS connections to the consul server, each time trying new ciphers. If the consul server is using a cipher that nmap initiates a TLS connection with, the server accepts the connection and it will be shown under "ciphers:". In this scenario, the consul server accepted the cipher
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
because it's added in the config.
#consul.hcl config
datacenter = "east-aws"
data_dir = "/opt/consul"
log_level = "INFO"
node_name = "foobar"
server = true
addresses = {
https = "0.0.0.0"
}
tls {
defaults {
key_file = "dc1-server-consul-0-key.pem"
cert_file = "dc1-server-consul-0.pem"
ca_file = "consul-agent-ca.pem"
tls_cipher_suites = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
}
}
The nmap output above shows data when ciphers are hardcoded in the consul config. What should the output look like if no values are hardcoded in the config?
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-27 17:56 EST
Nmap scan report for<Consul server IP address>
Host is up (0.0032s latency).
PORT STATE SERVICE
8300/tcp open tmi
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 4096) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
Depending on the Consul certificate added in the config, the output will show accepted TLSv1.2 and TLSv1.3 ciphers. There are more shown since the consul server isn't restricted to handshake with specific, hardcoded ciphers.
Nmap not returning any ciphers when ciphers are manually set in Consul
This can occur if the certificate created for Consul is using deprecated ciphers. Nmap tries to make TLS connections using non-deprecated ciphers to the consul server, but won't output any because the server certificate is using unsecure ciphers regardless of the hardcoded ones in the agent config. This is what the output would look like from nmap:
sudo nmap --script ssl-enum-ciphers -p 8300 <Consul server IP address>
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-08 11:29 EST
Nmap scan report for <Consul server IP address>
Host is up (0.00055s latency).
PORT STATE SERVICE
8300/tcp open tmi
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
In this scenario, it is necessary to update the Consul certificate to use secure ciphers. The earlier mentioned Consul document shows a command to create new certificates for the Consul environment. When the certificate is updated, the nmap --script ssl-enum-ciphers output should show non-deprecated ciphers. The list of all ciphersuites supported by Consul is available in the TLS configuration source code.
Nmap not returning any ciphers when there aren't hardcoded ciphers in Consul
This can occur if the consul configuration file doesn't have the ca_file, cert_file, or key_file added, or it is not set to the correct file path of the cert. Make sure each field is added and that the file path is accurate.