Redis TLS Origination through the sidecar Author: Sam Stoelinga | Twitter: samosx | GitHub: samos123 Based on blog post: https://samos-it.com/posts/securing-redis-istio-tls-origniation-termination Architecture: K8s app using Redis over TLS only app-1 Namespace ms-1 K8s Pod External DB ms-2 K8s Pod ms-3 K8s Pod TLS only ● App with multiple microservices ● external Redis TLS only ● each microservice traffic Istio TLS Origination Architecture: K8s app using Redis over TLS only (TLS origination) app-1 Namespace ms-1 K8s Pod External DB container app container istio-proxy TCP TLS ● app talks

Golang to the rescue: Saving DevOps from TLS turmoil GopherCon 2017 Lightning Talk Chris Short Manager of DevOps at Bankrate Introduction Chris Short Manager of DevOps at Bankrate (http://www.bankrate derived from an opensource.com article I wrote in April 2017: Golang to the rescue: Saving DevOps from TLS turmoil (https://opensource.com/article/17/4/testing-certi�cate-chains-34-line-go-program) But Most crypto/tls The Go crypto/tls (https://golang.org/pkg/crypto/tls/) package partially implements TLS 1.2, as speci�ed in RFC 5246 (https://tools.ietf.org/html/rfc5246) Package con�gures usable SSL/TLS versions

第三届中国Rust开发者大会 简谈 Rust 与国密 TLS Introduction on Rust and SM TLS Title 王江桐 wangjiangtong@huawei.com 华为 公共开发部 嵌入式软件能力中心 就职于华为，目前正在使用 Rust 开发密码相关模块。 Rustacean 在华为。 Title 简谈 Rust 与国密 TLS Introduction on Rust Rust and Shangmi TLS 王江桐 wangjiangtong@huawei.com 华为 公共开发部 嵌入式软件能力中心 Overview of Shangmi Cryptography #1 国密算法总览 Table of Contents 目录 Use of Rust in Implementing Cryptographic Algorithms and Protocols 境外 不得使用 国密算法与协议介绍 Introduction to Shangmi Algorithms and Protocols Section #2 • 国密套件算法简介 • 国密 TLS 简介 来源：国密算法加密芯片，支持国密全套件等安全算法，http://www.bjlcs- tech.com/article/95.html 国密套件总览 List of Shangmi Cryptography

and --etcd-keyfile arguments are set as appropriate (Automated) 1.2.30 Ensure that the --tls-cert-file and --tls-private- key-file arguments are set as appropriate (Automated) 1.2.31 Ensure that the --client-ca-file Ensure that the --client-cert-auth argument is set to true (Automated) 2.3 Ensure that the --auto-tls argument is not set to true (Automated) 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments that the --peer-client-cert-auth argument is set to true (Automated) 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated) 2.7 Ensure that a unique Certificate Authority is used for

match("--kubelet-client-certificate=.*").string' Returned Value: --kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem Audit ( --kubelet-client-key ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--kubelet-client-key=.*").string' Returned Value: --kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem Result: Pass 1.1.23 Ensure that the --service-account-lookup argument is match("--service-account-key-file=.*").string' Returned Value: --service-account-key-file=/etc/kubernetes/ssl/kube-service-account- token-key.pem Result: Pass 1.1.26 - Ensure that the --etcd-certfile and

as the first parame- ter, allowing to specify both HTTP and HTTPS protocols. As a prerequisite of SSL (HTTPS) functionality, the agent should be compiled with cURL support. Previously, only domain name various items and hosts, SNMPv3 authentication and privacy passphrases, passwords for media types; SSL key password and HTTP proxy fields used in web scenarios and HTTP items; usernames, passwords and components (server, proxy, agent, zabbix_sender and zabbix_get utilities) using Transport Layer Security (TLS) protocol. network discovery - automated discovery of network devices. low-level discovery - automated

1429533600 748791234 44 Secure connections to Zabbix database It is now possible to configure secure TLS connections to MySQL and PostgreSQL databases from: • Zabbix frontend • Zabbix server or proxy Restricting that are unavailable in the particular configuration will be disabled. For example, the Database TLS encryption checkbox cannot be checked if using MySQL and Database host is set to localhost. See Secure various items and hosts, SNMPv3 authentication and privacy passphrases, passwords for media types; SSL key password and HTTP proxy fields used in web scenarios and HTTP items; usernames, passwords and

various items and hosts, SNMPv3 authentication and privacy passphrases, passwords for media types; SSL key password and HTTP proxy fields used in web scenarios and HTTP items; usernames, passwords and components (server, proxy, agent, zabbix_sender and zabbix_get utilities) using Transport Layer Security (TLS) protocol. network discovery - automated discovery of network devices. low-level discovery - automated Setting up SSL for Zabbix frontend On RHEL/Centos, install mod_ssl package: yum install mod_ssl Create directory for SSL keys: mkdir -p /etc/httpd/ssl/private chmod 700 /etc/httpd/ssl/private Create

Autoregistration section accessible through the dropdown to the right. It is possible to select no encryption, TLS encryption with PSK authentication or both (so that some hosts may register without encryption while components (server, proxy, agent, zabbix_sender and zabbix_get utilities) using Transport Layer Security (TLS) protocol. network discovery - automated discovery of network devices. low-level discovery - automated XML XPath preprocessing. net-snmp Required for SNMP support. GnuTLS, OpenSSL, LibreSSL or mbed TLS Required when using encryption. Agent Requirement Status Description libpcre Mandatory PCRE library

as the first param- eter, allowing to specify both HTTP and HTTPS protocols. As a prerequisite of SSL (HTTPS) functionality, the agent should be compiled with cURL support. Previously, only domain name components (server, proxy, agent, zabbix_sender and zabbix_get utilities) using Transport Layer Security (TLS) protocol. network discovery - automated discovery of network devices. low-level discovery - automated Setting up SSL for Zabbix frontend On RHEL/Centos, install mod_ssl package: yum install mod_ssl Create directory for SSL keys: mkdir -p /etc/httpd/ssl/private chmod 700 /etc/httpd/ssl/private Create