Docker Community Forums

Share and learn in the Docker community.

Disable TLS 1.0 for engine

(Chris Jones) #1

In a routine vulnerability scan I noticed that the TLS port 2375 supports TLS 1.0, which is a security concern. I couldn’t see a way to specifically configure a TLS version in dockercloud-agent.conf

The PCI (Payment Card Industry) Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2.

I wonder if this is no longer the case in newer versions of the engine. Docker Cloud Agent is still Docker 1.9.1 which is 8 months old!

(Chris Jones) #2

Does anybody else have a problem with using a vulnerable encryption standard on a public-facing port?

(Joseph Pippin) #3

We are having this issue as well. We are in the PCI space and this is a show stopper for us. As of CE version 18.01, the daemon is still vulnerable to TLS 1.0 and 1.1.

Is there any update on this?

Issue type: Security vulnerability
OS Version/build: Redhat 7.4
App version: Docker CE 18.01
Steps to reproduce: Issue a scan of the docker system and it reports vulnerable for TLS 1.0 and 1.1 on port 2376.